When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
History

Tue, 12 Nov 2024 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2024-01-29T09:20:06.829Z

Updated: 2024-11-12T21:47:04.433Z

Reserved: 2024-01-22T10:32:00.704Z

Link: CVE-2024-23792

cve-icon Vulnrichment

Updated: 2024-08-01T23:13:07.447Z

cve-icon NVD

Status : Modified

Published: 2024-01-29T10:15:08.683

Modified: 2024-11-21T08:58:25.700

Link: CVE-2024-23792

cve-icon Redhat

No data.