CVE-2022-1004: Information disclosure in the External Interface
First published: Mon Mar 21 2022(Updated: )
Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
Credit: security@otrs.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=7.0.0<7.0.33 | |
| Otrs Otrs | >=8.0.0<8.0.20 |
Remedy
Update to OTRS 7.0.33 and OTRS 8.0.20.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-1004.
What is the title of the vulnerability?
The title of the vulnerability is 'Accounted time is shown in the Ticket Detail View (External Interface) even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.'
What is the description of the vulnerability?
The description of the vulnerability states that accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
Which software versions are affected by this vulnerability?
The vulnerability affects OTRS versions 7.0.0 to 7.0.33 and 8.0.0 to 8.0.20.
What is the severity of CVE-2022-1004?
The severity of CVE-2022-1004 is medium (4.3).
How can I fix CVE-2022-1004?
To fix CVE-2022-1004, update OTRS to version 7.0.34 or 8.0.21 or apply the provided patches from the OTRS Security Advisory 2022-06.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- agent/tags
- agent/title
- agent/description
- agent/first-publish-date
- agent/event
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/7.0.0
- version/otrs otrs/8.0.0