CVE-2024-6540

Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x
Configurations

Configuration 1 (hide)

cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:49

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 5.7
References () https://otrs.com/release-notes/otrs-security-advisory-2024-07/ - Vendor Advisory () https://otrs.com/release-notes/otrs-security-advisory-2024-07/ - Vendor Advisory

16 Jul 2024, 18:05

Type Values Removed Values Added
Summary
  • (es) Un filtrado inadecuado de los campos al utilizar la función de exportación en la descripción general de tickets de la interfaz externa en OTRS podría permitir a un usuario autorizado descargar una lista de tickets que contiene información sobre tickets de otros clientes. El problema solo ocurre si el administrador ha desactivado TicketSearchLegacyEngine. Este problema afecta a OTRS: 8.0.X, 2023.X, desde 2024.X hasta 2024.4.x
References () https://otrs.com/release-notes/otrs-security-advisory-2024-07/ - () https://otrs.com/release-notes/otrs-security-advisory-2024-07/ - Vendor Advisory
CVSS v2 : unknown
v3 : 5.7
v2 : unknown
v3 : 5.3
CPE cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*
First Time Otrs otrs
Otrs
CWE NVD-CWE-noinfo

15 Jul 2024, 11:15

Type Values Removed Values Added
Summary (en) Improper filtering of fields when using the export function in the ticket overview of the external interface could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x (en) Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x

15 Jul 2024, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-15 08:15

Updated : 2024-11-21 09:49


NVD link : CVE-2024-6540

Mitre link : CVE-2024-6540

CVE.ORG link : CVE-2024-6540


JSON object : View

Products Affected

otrs

  • otrs
CWE
CWE-790

Improper Filtering of Special Elements

NVD-CWE-noinfo