Vulnerability Details CVE-2024-23794
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:
* 8.0.X
* 2023.X
* from 2024.X through 2024.4.x
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 23.2%
CVSS Severity
CVSS v3 Score 5.2
References
Products affected by CVE-2024-23794
-
cpe:2.3:a:otrs:otrs:2023.0.0
-
cpe:2.3:a:otrs:otrs:2023.1.1
-
cpe:2.3:a:otrs:otrs:2024.1.1
-
cpe:2.3:a:otrs:otrs:8.0.0
-
cpe:2.3:a:otrs:otrs:8.0.1
-
cpe:2.3:a:otrs:otrs:8.0.10
-
cpe:2.3:a:otrs:otrs:8.0.11
-
cpe:2.3:a:otrs:otrs:8.0.12
-
cpe:2.3:a:otrs:otrs:8.0.13
-
cpe:2.3:a:otrs:otrs:8.0.14
-
cpe:2.3:a:otrs:otrs:8.0.15
-
cpe:2.3:a:otrs:otrs:8.0.16
-
cpe:2.3:a:otrs:otrs:8.0.17
-
cpe:2.3:a:otrs:otrs:8.0.18
-
cpe:2.3:a:otrs:otrs:8.0.19
-
cpe:2.3:a:otrs:otrs:8.0.2
-
cpe:2.3:a:otrs:otrs:8.0.23
-
cpe:2.3:a:otrs:otrs:8.0.26
-
cpe:2.3:a:otrs:otrs:8.0.27
-
cpe:2.3:a:otrs:otrs:8.0.28
-
cpe:2.3:a:otrs:otrs:8.0.29
-
cpe:2.3:a:otrs:otrs:8.0.3
-
cpe:2.3:a:otrs:otrs:8.0.30
-
cpe:2.3:a:otrs:otrs:8.0.31
-
cpe:2.3:a:otrs:otrs:8.0.32
-
cpe:2.3:a:otrs:otrs:8.0.37
-
cpe:2.3:a:otrs:otrs:8.0.4
-
cpe:2.3:a:otrs:otrs:8.0.5
-
cpe:2.3:a:otrs:otrs:8.0.6
-
cpe:2.3:a:otrs:otrs:8.0.7
-
cpe:2.3:a:otrs:otrs:8.0.9