Code execution through ACL creation
CVE-2023-1250

7.4HIGH

Key Information:

Vendor: Otrs Ag
Status: Otrs; ((otrs)) Community Edition
Vendor: CVE Published:; 20 March 2023

What is CVE-2023-1250?

An improper input validation vulnerability exists in OTRS AG OTRS ACL modules, affecting multiple versions of OTRS and its Community Edition. This flaw allows an attacker to create or import Access Control Lists (ACLs) with malicious code embedded in manipulated comments and ACL names. When these ACLs are processed, the injected code can be executed locally, posing a serious risk to the integrity and security of the affected systems. Users are urged to review the impacted versions and apply security updates promptly.

Affected Version(s)

((OTRS)) Community Edition 6.0.1 <= 6.0.34

OTRS 7.0.x

OTRS 7.0.x < 7.0.42

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2023
Vulnerability Reserved
Mar 7, 2023

Credit

Special thanks to Tim Püttmanns for reporting these vulnerability.

Otrs Ag

What is CVE-2023-1250?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit