CVE-2023-1250 — Improper Input Validation in AG Otrs

CWE-20 — Improper Input Validation CWE-94 — Code Injection CWE-1250 — Improper Preservation of Consistency Between Independent Representations of Shared State5 documents5 sources

Severity

7.8HIGHNVD

CNA7.4

EPSS

0.2%

top 59.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Otrs Otrs AG Community Edition

Timeline

PublishedMar 20

Latest updateNov 14

Description

Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.34

▶NVDotrs/otrs7.0.0 — 7.0.42+2

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.42+1

🔴Vulnerability Details

GHSA

GHSA-jwm9-wmrq-4g6h: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code↗2023-03-20

▶

CVEList

Code execution through ACL creation↗2023-03-20

▶

OSV

CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code↗2023-03-20

▶

📋Vendor Advisories

Red Hat

postgresql: PostgreSQL row security below e.g. subqueries disregards user ID changes↗2024-11-14

▶