Lucene search

PRIOn knowledge basePRION:CVE-2024-23792

HistoryJan 29, 2024 - 10:15 a.m.

Code injection

2024-01-2910:15:00

PRIOn knowledge base

www.prio-n.com

code injection

ticket comments

impersonation

unauthorized uploads

otrs

vulnerability

security issue

nvd

uuid.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.0005 Low

EPSS

Percentile

13.1%

JSON

When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user. The attack requires a
logged-in other user to know the UUID. While the legitimate user
completes the comment, the malicious user can add more files to the
comment.

This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

CPENameOperatorVersion
otrsge8.0.0
otrslt2024.1.1
otrsge7.0.0
otrslt7.0.49

Name	Operator	Version
otrs	ge	8.0.0
otrs	lt	2024.1.1
otrs	ge	7.0.0
otrs	lt	7.0.49

References

otrs.com/release-notes/otrs-security-advisory-2024-03/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.0005 Low

EPSS

Percentile

13.1%

JSON

Related for PRION:CVE-2024-23792