CVE-2024-23794

EUVD-2024-21247

15.07.2024, 08:15

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: 

  *  8.0.X
  *  2023.X
  *  from 2024.X through 2024.4.x

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.2 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
OTRS	CNA	5.2 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Affected Products (NVD)

Vendor	Product	Version
otrs	otrs	8.0.0 ≤ 𝑥 < 2024.5.2

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

znuny

focal	dne
jammy	dne
noble	not-affected

Common Weakness Enumeration

CWE-266 - Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

https://otrs.com/release-notes/otrs-security-advisory-2024-06/