Lucene search

OTRSCVE-2024-23793

HistoryJun 06, 2024 - 7:15 p.m.

CVE-2024-23793

2024-06-0619:15:52

CWE-22

OTRS

web.nvd.nist.gov

vulnerability

file upload

path traversal

otrs

otrs community edition

web server

local code execution

perl scripts

cve-2024-23793

nvd

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

AI Score

7.2

Confidence

Low

EPSS

Percentile

10.5%

JSON

The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.
This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "modules": [
      "File Upload"
    ],
    "product": "OTRS",
    "vendor": "OTRS AG",
    "versions": [
      {
        "lessThanOrEqual": "7.0.49",
        "status": "affected",
        "version": "7.0.x",
        "versionType": "Patch"
      },
      {
        "status": "affected",
        "version": "8.0.x"
      },
      {
        "status": "affected",
        "version": "2023.x"
      },
      {
        "lessThanOrEqual": "2024.3.2",
        "status": "affected",
        "version": "2024.x",
        "versionType": "Patch"
      }
    ]
  },
  {
    "defaultStatus": "affected",
    "product": "((OTRS)) Community Edition",
    "vendor": "OTRS AG",
    "versions": [
      {
        "lessThanOrEqual": "6.0.34",
        "status": "affected",
        "version": "6.0.1",
        "versionType": "All"
      }
    ]
  }
]

References

otrs.com/release-notes/otrs-security-advisory-2024-05/