Vulnerability Details CVE-2019-13457
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.2%
CVSS Severity
CVSS v3 Score 4.3
CVSS v2 Score 4.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://otrs.com/release-notes/otrs-security-advisory-2019-11/
- https://www.otrs.com/category/release-and-security-notes-en/
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://otrs.com/release-notes/otrs-security-advisory-2019-11/
- https://www.otrs.com/category/release-and-security-notes-en/
Products affected by CVE-2019-13457
-
cpe:2.3:a:otrs:otrs:7.0.0
-
cpe:2.3:a:otrs:otrs:7.0.4
-
cpe:2.3:a:otrs:otrs:7.0.5
-
cpe:2.3:a:otrs:otrs:7.0.6
-
cpe:2.3:a:otrs:otrs:7.0.7
-
cpe:2.3:a:otrs:otrs:7.0.8