Incorrect Privilege Assignment in Inline Editing Can Lead to Privilege Escalation
CVE-2024-23794

7.5HIGH

Key Information:

Vendor: Otrs Ag
Status: Otrs
Vendor: CVE Published:; 15 July 2024

What is CVE-2024-23794?

An incorrect privilege assignment vulnerability exists in the inline editing functionality of OTRS. This flaw allows agents with only read-only permissions to elevate their access, potentially gaining full control over tickets. The vulnerability is triggered under rare circumstances when the system configuration contains the 'RequiredLock' setting of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' enabled by an administrator. This issue compromises the integrity of user permissions and is applicable to specific OTRS versions.

Affected Version(s)

OTRS 8.0.x

OTRS 2023.x

OTRS 2024.x <= 2024.4.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2024

Otrs Ag

What is CVE-2024-23794?

Affected Version(s)

References

CVSS V3.1

Timeline