Memory leak in OTRS - CVE-2017-17476
Published: December 25, 2017
Vulnerability identifier: #VU9751
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-17476
CWE-ID: CWE-401
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: otrs.org
Affected software:
OTRS
OTRS
Detailed vulnerability description
The vulnerability allows a remote attacker to hijack web session on the target system.
The weakness exists due to system leaks the session information to external systems. A remote attacker can send a specially prepared email to an OTRS system, obtain session data and take over the agent’s session.
Successful exploitation of the vulnerability may result in privilege escalation.
The weakness exists due to system leaks the session information to external systems. A remote attacker can send a specially prepared email to an OTRS system, obtain session data and take over the agent’s session.
Successful exploitation of the vulnerability may result in privilege escalation.
How to mitigate CVE-2017-17476
The vulnerability is addressed in the following versions: 4.0.28, 5.0.26, 6.0.3.