Insufficient Session Expiration in OTRS



Published: 2020-07-20 | Updated: 2021-04-01
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-1776
CWE-ID CWE-613
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		OTRS
Web applications / Other software

Vendor otrs.org

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficient Session Expiration

EUVDB-ID: #VU51871

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1776

CWE-ID: CWE-613 - Insufficient Session Expiration

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

OTRS: 6.0.0 - 6.0.13

External links

http://otrs.com/release-notes/otrs-security-advisory-2020-13/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###