SB20200310149 - Information disclosure in OTRS
Published: March 10, 2020 Updated: April 1, 2021
Security Bulletin ID
SB20200310149
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2019-13457)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://otrs.com/release-notes/otrs-security-advisory-2019-11/
- https://www.otrs.com/category/release-and-security-notes-en/