CVE-2024-23792
published 2024-01-29CVE-2024-23792: When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.34%
26.4th percentile
When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user. The attack requires a
logged-in other user to know the UUID. While the legitimate user
completes the comment, the malicious user can add more files to the
comment.
This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| otrs | otrs | >= 7.0.0 < 7.0.49 | 7.0.49 |
| otrs | otrs | >= 8.0.0 < 2024.1.1 | 2024.1.1 |
| otrs_ag | otrs | 2023.x – 2023.1.1 | — |
| otrs_ag | otrs | 7.0.x – 7.0.48 | — |
| otrs_ag | otrs | 8.0.x – 8.0.37 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4h85-vpxq-834q: When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user
ghsa_unreviewed·2024-01-29
CVE-2024-23792 [MEDIUM] CWE-287 GHSA-4h85-vpxq-834q: When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user
When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user. The attack requires a
logged-in other user to know the UUID. While the legitimate user
completes the comment, the malicious user can add more files to the
comment.
This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
OSV
CVE-2024-23792: When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user
osv·2024-01-29·CVSS 6.5
CVE-2024-23792 [MEDIUM] CVE-2024-23792: When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user
When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-29
Published