Information disclouse and DoS via websocket push events
CVE-2023-2534

7.6HIGH

Key Information:

Vendor: Otrs Ag
Status: Otrs
Vendor: CVE Published:; 8 May 2023

What is CVE-2023-2534?

An improper authorization vulnerability in OTRS AG's OTRS 8 Websocket API allows authenticated agents to monitor user behavior and gain live insights into system usage. This security issue could enable an attacker to correlate user IDs with real names through accessible ticket histories. Additionally, by subscribing to all available push events, a malicious user could overwhelm the server, leading to performance degradation, especially in environments with numerous users or large installations. This vulnerability affects OTRS versions prior to 8.0.32.

Affected Version(s)

OTRS 8.0.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2023
Vulnerability Reserved
May 5, 2023

Credit

Special thanks to Maximilian Gutwein for reporting these vulnerability.