CVE-2024-23794Incorrect Privilege Assignment in Otrs

CWE-266Incorrect Privilege Assignment3 documents3 sources
Severity
7.5HIGHNVD
CNA5.2
EPSS
0.1%
top 65.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OtrsOtrs AG Otrs
Timeline
PublishedJul 15

Description

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: * 8.0.X * 2023.X * from 2024.X through 2024.4.x

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDotrs/otrs8.0.02024.5.2
CVEListV5otrs_ag/otrs2024.x2024.4.x+2

🔴Vulnerability Details

2
CVEList
Agents are able to lock the ticket without the "Owner" permission2024-07-15
GHSA
GHSA-295x-34p8-7q26: An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation2024-07-15
CVE-2024-23794 — Incorrect Privilege Assignment in Otrs | cvebase