CVE-2017-9324

Published: Jun 12, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end.

Affected (5)

Products: Otrs: Otrs · Debian: Debian Linux

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Otrs Otrs	From 3.3.0 to 3.3.16
Otrs Otrs	From 4.0.0 to 4.0.23
Otrs Otrs	From 5.0.0 to 5.0.19

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (6)

http://www.debian.org/security/2017/dsa-3876

Source: cve@mitre.org

Third Party Advisory

https://packetstormsecurity.com/files/142862/OTRS-Install-Dialog-Disclosure.html

Source: cve@mitre.org

Mailing ListThird Party AdvisoryVDB Entry

https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/

Source: cve@mitre.org

Vendor Advisory

http://www.debian.org/security/2017/dsa-3876

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://packetstormsecurity.com/files/142862/OTRS-Install-Dialog-Disclosure.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party AdvisoryVDB Entry

https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.