Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-38059

Published: Oct 16, 2023 | Modified: Oct 19, 2023
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-38059
CWEhttps://cwe.mitre.org/data/definitions/.html

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

Affected Software

Name Vendor Start Version End Version
Otrs Otrs 6.0.0 (including) 6.0.34 (including)
Otrs Otrs 7.0.0 (including) 7.0.47 (excluding)
Otrs Otrs 8.0.0 (including) 8.0.37 (excluding)
Otrs2 Ubuntu bionic *
Otrs2 Ubuntu trusty *
Otrs2 Ubuntu xenial *
Znuny Ubuntu bionic *
Znuny Ubuntu lunar *
Znuny Ubuntu mantic *
Znuny Ubuntu trusty *
Znuny Ubuntu xenial *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use