SB2020072024 - Insufficient Session Expiration in OTRS
Published: July 20, 2020 Updated: April 1, 2021
Security Bulletin ID
SB2020072024
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Insufficient Session Expiration (CVE-ID: CVE-2020-1776)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
Remediation
Install update from vendor's website.