Information disclouse and DoS via websocket push events
CVE-2023-2534

7.6HIGH

Key Information:

Vendor: Otrs Ag
Status: Otrs
Vendor: CVE Published:; 8 May 2023

What is CVE-2023-2534?

An improper authorization vulnerability in OTRS AG's OTRS 8 Websocket API allows authenticated agents to monitor user behavior and gain live insights into system usage. This security issue could enable an attacker to correlate user IDs with real names through accessible ticket histories. Additionally, by subscribing to all available push events, a malicious user could overwhelm the server, leading to performance degradation, especially in environments with numerous users or large installations. This vulnerability affects OTRS versions prior to 8.0.32.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OTRS 8.0.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 8, 2023
Vulnerability Reserved
May 5, 2023

Credit

Special thanks to Maximilian Gutwein for reporting these vulnerability.

JSON

Otrs Ag