CVE-2024-23792 — Improper Authentication in Otrs

CWE-287 — Improper Authentication4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.3

EPSS

0.1%

top 67.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Otrs AG Otrs

Timeline

PublishedJan 29

Description

When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDotrs/otrs7.0.0 — 7.0.49+1

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.48+2

🔴Vulnerability Details

CVEList

Insufficient access control↗2024-01-29

▶

GHSA

GHSA-4h85-vpxq-834q: When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user↗2024-01-29

▶

OSV

CVE-2024-23792: When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user↗2024-01-29

▶