CVE-2020-1772
6.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OTRS AG | ((OTRS)) Community Edition | 5.0.x <= 5.0.41 | affected |
| OTRS AG | ((OTRS)) Community Edition | 6.0.x <= 6.0.26 | affected |
| OTRS AG | OTRS | 7.0.x <= 7.0.15 | affected |
Weaknesses
- CWE-155: CWE-155
ADP Enrichment
CVE Program Container
Additional References
- https://otrs.com/release-notes/otrs-security-advisory-2020-09/
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
References
- https://otrs.com/release-notes/otrs-security-advisory-2020-09/
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.