Headline
CVE-2023-38058: OTRS Security Advisory 2023-07 | OTRS
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.
Release Note
Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: [email protected]
PGP Key
- pub 2048R/9C227C6B 2011-03-21
- uid OTRS Security Team <[email protected]>
- GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B
Security Advisory Details
- ID: OSA-2023-07
- Date: 2023-07-24
- Title: Tickets can be moved without permission
- Severity: 4.1 MEDIUM
- Product: OTRS 8.0.x
- Fixed in: OTRS 8.0.35
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
- References: CVE-2023-38058
OSA-2023-07 Tickets can be moved without permission (CVE-2023-38058)
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission.
PRODUCT AFFECTED:
This issue affects
OTRS: from 8.0.X before 8.0.35
PROBLEM:
CWE-269 Improper Privilege Management CWE-269
Impact:
CAPEC-233 Privilege Escalation CAPEC-233
Product Status
OTRS AG OTRS » Agent interface
Default status is affected
from 8.0.x before 8.0.35
SOLUTION:
Update to OTRS 8.0.35
MODIFICATION HISTORY:
- —
CVSS SCORE:
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
RISK LEVEL:
MEDIUM
ACKNOWLEDGEMENTS: