CVE-2024-23794

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:  * 8.0.X * 2023.X * from 2024.X through 2024.4.x
Configurations

Configuration 1 (hide)

cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:58

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 5.2
References () https://otrs.com/release-notes/otrs-security-advisory-2024-06/ - Vendor Advisory () https://otrs.com/release-notes/otrs-security-advisory-2024-06/ - Vendor Advisory

16 Jul 2024, 18:05

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de asignación de privilegios incorrecta en la funcionalidad de edición en línea de OTRS puede provocar una escalada de privilegios. Esta falla permite que un agente con permisos de solo lectura obtenga acceso completo a un ticket. Este problema surge en casos muy raros cuando un administrador ha habilitado previamente la configuración 'RequiredLock' de 'AgentFrontend::Ticket::InlineEditing::Property###Watch' en la configuración del sistema. Este problema afecta a OTRS: * 8.0.X * 2023.X * desde 2024.X hasta 2024.4.x
References () https://otrs.com/release-notes/otrs-security-advisory-2024-06/ - () https://otrs.com/release-notes/otrs-security-advisory-2024-06/ - Vendor Advisory
CPE cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*
First Time Otrs otrs
Otrs
CVSS v2 : unknown
v3 : 5.2
v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo

15 Jul 2024, 11:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 10.0
v2 : unknown
v3 : 5.2

15 Jul 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-15 08:15

Updated : 2024-11-21 08:58


NVD link : CVE-2024-23794

Mitre link : CVE-2024-23794

CVE.ORG link : CVE-2024-23794


JSON object : View

Products Affected

otrs

  • otrs
CWE
CWE-266

Incorrect Privilege Assignment

NVD-CWE-noinfo