First published: Fri Mar 27 2020(Updated: )
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
Credit: security@otrs.com security@otrs.com
Affected Software | Affected Version | How to fix |
---|---|---|
Otrs Otrs | >=5.0.0<=5.0.41 | |
Otrs Otrs | >=6.0.0<=6.0.26 | |
Otrs Otrs | >=7.0.0<=7.0.15 | |
openSUSE Backports SLE | =15.0 | |
openSUSE Backports SLE | =15.0-sp1 | |
openSUSE Backports SLE | =15.0-sp2 | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =15.2 | |
Debian Debian Linux | =8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-1772 is a vulnerability that allows attackers to retrieve valid Tokens used for Lost Password requests in ((OTRS)) Community Edition versions 5.0.41 and prior, 6.0.26 and prior, and 7.0.15 and prior.
CVE-2020-1772 has a severity rating of 7.5 (High).
The affected software versions include ((OTRS)) Community Edition 5.0.41 and prior, 6.0.26 and prior, and 7.0.15 and prior.
An attacker can exploit CVE-2020-1772 by crafting Lost Password requests with wildcards in the Token value to retrieve valid Tokens generated by other users.
Yes, fixes for CVE-2020-1772 have been released. It is recommended to update ((OTRS)) Community Edition to a version that is not affected.