Main Vulnerability Database Vulnerabilities #VU45198

Permissions, Privileges, and Access Controls in OTRS - CVE-2008-7277

Published: March 18, 2011 / Updated: August 11, 2020

Vulnerability identifier: #VU45198

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2008-7277

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: otrs.org

Affected software:
OTRS

Detailed vulnerability description

The vulnerability allows a remote #AU# to read and manipulate data.

Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets.

How to mitigate CVE-2008-7277

Install update from vendor's website.

Sources

http://bugs.otrs.org/show_bug.cgi?id=3045
http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807

Permissions, Privileges, and Access Controls in OTRS - CVE-2008-7277

Detailed vulnerability description

How to mitigate CVE-2008-7277

Sources

Please verify you're human