CVE-2023-38060 — Improper Input Validation in AG Otrs

CWE-20 — Improper Input Validation CWE-74 — Injection5 documents5 sources

Severity

8.8HIGHNVD

CNA6.3

EPSS

0.2%

top 53.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Znuny Otrs +1 more

Timeline

PublishedJul 24

Description

Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.34

▶NVDotrs/otrs7.0.0 — 7.0.45+2

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.45+1

▶Debianznuny/znuny< 6.5.3-1+1

🔴Vulnerability Details

GHSA

GHSA-9fvp-3hg9-xrcv: Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic In↗2023-07-24

▶

CVEList

Host header injection by attachments in web service↗2023-07-24

▶

OSV

CVE-2023-38060: Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic In↗2023-07-24

▶

📋Vendor Advisories

Debian

CVE-2023-38060: otrs2 - Improper Input Validation vulnerability in the ContentType parameter for attachm...↗2023

▶