Main Vulnerability Database SB2017111429

SB2017111429 - Information disclosure in Open Ticket Request System

Published: November 14, 2017 Updated: November 27, 2017

Security Bulletin ID SB2017111429

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-15864)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient input validation. A remote attacker who is logged into OTRS as an agent can request special URLs from OTRS, and retrieve any configuration information, including database credentials.

Remediation

Install update from vendor's website.

References

https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/