Permissions, Privileges, and Access Controls in OTRS - CVE-2010-4768
Published: March 18, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU45218
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2010-4768
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: otrs.org
Affected software:
OTRS
OTRS
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions.
How to mitigate CVE-2010-4768
Install update from vendor's website.