Agent is able to link customer's Config Items without permission
CVE-2021-21436

3.5LOW

Key Information:

Vendor: Otrs Ag
Status: Otrscisincustomerfrontend
Vendor: CVE Published:; 8 February 2021

What is CVE-2021-21436?

Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.

Affected Version(s)

OTRSCIsInCustomerFrontend 7.0.x <= 7.0.14

References

https://otrs.com/release-notes/otrs-security-advisory-202...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2021
Vulnerability Reserved
Dec 29, 2020

Credit

Bernhard Lehr