CVE-2023-2534Improper Authorization in AG Otrs

CWE-285Improper AuthorizationCWE-863Incorrect Authorization4 documents4 sources
Severity
8.1HIGHNVD
CNA7.6
EPSS
0.1%
top 65.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Otrs AG OtrsOtrs
Timeline
PublishedMay 8
Latest updateJul 6

Description

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDotrs/otrs8.0.08.0.32
CVEListV5otrs_ag/otrs8.0.x8.0.32

🔴Vulnerability Details

2
GHSA
GHSA-67qg-pjv2-pg9v: Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and2023-07-06
CVEList
Information disclouse and DoS via websocket push events2023-05-08

💥Exploits & PoCs

1
Nuclei
PyTorch TorchServe SSRF
CVE-2023-2534 — Improper Authorization in Otrs AG Otrs | cvebase