CVE-2021-36097

Summary

Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.

Affected Software

VendorProductVersion RangeStatus
OTRS AGOTRS8.0.x <= 8.0.16affected

Weaknesses

  • CWE-266: CWE-266 Incorrect Privilege Assignment

ADP Enrichment

CVE Program Container

Additional References

References