CVE-2023-1250: OTRS Security Advisory 2023-02 | OTRS

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: [email protected]

PGP Key

• pub 2048R/9C227C6B 2011-03-21
• uid OTRS Security Team <[email protected]>
• GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

• ID: OSA-2023-02
• Date: 2023-03-20
• Title: Code execution through ACL creation
• Severity: 7.4 HIGH
• Product: OTRS 7.0.x, OTRS 8.0.x
• Fixed in: OTRS 7.0.42, OTRS 8.0.31
• FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
• References: CVE-2023-1250

OSA-2023-02 Code execution through ACL creation (CVE-2023-1250)

Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names.

PRODUCT AFFECTED:

This issue affects

OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31;

((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

PROBLEM:

CWE-20 Improper Input Validation CWE-20

Impact:

CAPEC-549 Local Execution of Code CAPEC-549

Product Status

OTRS AG OTRS » ACL

Default status is affected

from 7.0.x before 7.0.42

from 8.0.x before 8.0.31

OTRS AG ((OTRS)) Community Edition » Ticket Actions

Default status is affected

from 6.0.1 through 6.0.34

SOLUTION:

Update to OTRS 7.0.42, OTRS 8.0.31

MODIFICATION HISTORY:

• —

• CVE-2023-1250

CVSS SCORE:

3.1 VECTOR: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

RISK LEVEL:

HIGH

ACKNOWLEDGEMENTS:

—