Input validation error in OTRS
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU51863
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-1765
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
MitigationInstall update from vendor's website.
Vulnerable software versionsOTRS: 5.0.0 - 6.0.13
CPE2.3- cpe:2.3:a:otrs_org:open_ticket_request_system:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:otrs_org:open_ticket_request_system:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs_org:open_ticket_request_system:5.0.2:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html
https://otrs.com/release-notes/otrs-security-advisory-2020-01/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
