Missing file type check in avatar picture upload
CVE-2024-23790

3.5LOW

Key Information:

Vendor: Otrs Ag
Status: Otrs
Vendor: CVE Published:; 29 January 2024

What is CVE-2024-23790?

An improper input validation vulnerability exists in the user avatar upload feature of OTRS. This flaw stems from the absence of checks on filetypes, potentially allowing attackers to misuse the upload functionality. The vulnerability impacts several versions of OTRS including those from 7.0.X through 7.0.48, 8.0.X through 8.0.37, and the 2023 version up to 2023.1.1. It is crucial for users of these versions to implement immediate mitigations and updates as per security advisories issued by OTRS.

Affected Version(s)

OTRS 8.0.x <= 8.0.37

OTRS 2023 <= 2023.1.1

OTRS 7.0.x <= 7.0.48

References

https://otrs.com/release-notes/otrs-security-advisory-202...

vendor-advisory

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2024
Vulnerability Reserved
Jan 22, 2024

Credit

Special thanks to Matthias Püschel for reporting these vulnerability.