CVE-2024-43444 — Log File Information Exposure in AG Otrs

CWE-532 — Log File Information Exposure4 documents4 sources

Severity

8.2HIGHNVD

EPSS

0.2%

top 58.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Otrs AG Community Edition

Timeline

PublishedAug 26

Description

Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5otrs_ag/community_edition6.0.x

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.50+3

🔴Vulnerability Details

GHSA

GHSA-m8cw-854g-5gvm: Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sour↗2024-08-26

▶

CVEList

Passwords are written to Admin Log Module↗2024-08-26

▶

OSV

CVE-2024-43444: Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sour↗2024-08-26

▶