An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Otrs | Otrs | 8.0.0 (including) | 8.0.35 (excluding) |
Otrs2 | Ubuntu | bionic | * |
Znuny | Ubuntu | bionic | * |
Znuny | Ubuntu | lunar | * |
Znuny | Ubuntu | mantic | * |
Znuny | Ubuntu | trusty | * |
Znuny | Ubuntu | xenial | * |