CVE-2021-36097

Published: Oct 18, 2021Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.

Affected (1)

Products: Otrs: Otrs

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Otrs Otrs	From 8.0.0 to 8.0.16

Related CWEs

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (2)

https://otrs.com/release-notes/otrs-security-advisory-2021-20/

Source: security@otrs.com

Release NotesVendor Advisory

https://otrs.com/release-notes/otrs-security-advisory-2021-20/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.