CVE-2020-1767: Possible to send drafted messages as wrong agent
First published: Fri Jan 10 2020(Updated: )
Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
Credit: security@otrs.com security@otrs.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=6.0.0<=6.0.24 | |
| Otrs Otrs | >=7.0.0<=7.0.13 | |
| Debian Debian Linux | =8.0 |
Remedy
Upgrade to OTRS 7.0.14, ((OTRS)) Community Edition 6.0.25
Remedy
Patch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/6.0.0
- version/otrs otrs/6.0.24
- version/otrs otrs/7.0.0
- version/otrs otrs/7.0.13
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0