CVE-2024-23794

Summary

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: 

  • 8.0.X
  • 2023.X
  • from 2024.X through 2024.4.x

Affected Software

VendorProductVersion RangeStatus
OTRS AGOTRS8.0.xaffected
OTRS AGOTRS2023.xaffected
OTRS AGOTRS2024.x <= 2024.4.xaffected

Weaknesses

  • CWE-266: CWE-266 Incorrect Privilege Assignment

Workarounds

deactivate RequiredLock of AgentFrontend::Ticket::InlineEditing::Property###Watch or disable Ticket::Permission###1-OwnerCheck

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References