CVE-2023-38056 — OS Command Injection in AG Otrs

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.4%

top 39.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Otrs Otrs AG Community Edition

Timeline

PublishedJul 24

Description

Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.34

▶NVDotrs/otrs7.0.0 — 7.0.45+2

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.45+1

🔴Vulnerability Details

OSV

CVE-2023-38056: Improper Neutralization of commands allowed to be executed via OTRS System Configuration e↗2023-07-24

▶

GHSA

GHSA-236v-xxhj-r9jw: Improper Neutralization of commands allowed to be executed via OTRS System Configuration e↗2023-07-24

▶

CVEList

Code execution via System Configuration↗2023-07-24

▶