CVE Vulnerabilities

CVE-2024-23792

Improper Authentication

Published: Jan 29, 2024 | Modified: Feb 02, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment.

This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Otrs Otrs 7.0.0 (including) 7.0.49 (excluding)
Otrs Otrs 8.0.0 (including) 2024.1.1 (excluding)
Otrs2 Ubuntu bionic *
Znuny Ubuntu mantic *

Potential Mitigations

References