Описание
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| otrs2 | fixed | 6.0.24-1 | package | |
| otrs2 | ignored | stretch | package |
Примечания
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
OTRS 6.0: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351
OTRS 6.0: https://github.com/OTRS/otrs/commit/d873fde85260e50f7e7a9f47c691b1cafd237119
OTRS 6.0: https://github.com/OTRS/otrs/commit/0ec21884a2a1573987bf77631dc5a54d951280b7
OTRS 5.0: https://github.com/OTRS/otrs/commit/696db4d90a1b44ce4ed0c8a4ab9d53bfa3c9836e
Связанные уязвимости
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
