Products
OTRS
- 8.0.X
- 2023.X
- from 2024.X through 2024.4.x
Source
security@otrs.com
Tags
CVE-2024-23794 details
Published : July 15, 2024, 8:15 a.m.
Last Modified : July 15, 2024, 1 p.m.
Last Modified : July 15, 2024, 1 p.m.
Description
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: * 8.0.X * 2023.X * from 2024.X through 2024.4.x
CVSS Score
| 1 | 2 | 3 | 4 | 5.2 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-266 | Incorrect Privilege Assignment | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
Base Score
5.2
Exploitability Score
0.9
Impact Score
4.2
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
References
| URL | Source |
|---|---|
| https://otrs.com/release-notes/otrs-security-advisory-2024-06/ | security@otrs.com |
This website uses the NVD API, but is not approved or certified by it.