CVE-2024-43446 — Improper Privilege Management in AG Otrs

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

3.5LOWNVD

EPSS

0.1%

top 79.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Otrs AG Community Edition

Timeline

PublishedJan 27

Description

An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5otrs_ag/community_edition6.0.x — 6.0.34

▶CVEListV5otrs_ag/otrs2025.x — 2025.1.x+4

🔴Vulnerability Details

CVEList

Improper check of permissions in Generic Interface↗2025-01-27

▶

GHSA

GHSA-chc6-3mhw-pc4r: An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permis↗2025-01-27

▶