Description
In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection.
References (2)
Core 2
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4021
Vendor Advisory x_refsource_confirm
https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/
Scores
CVSS v3
8.8
EPSS
0.0192
EPSS Percentile
77.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (39)
otrs/otrs
3.3.0 (7 CPE variants)
otrs/otrs
3.3.1
otrs/otrs
3.3.2
otrs/otrs
3.3.3
otrs/otrs
3.3.4
otrs/otrs
3.3.5
otrs/otrs
3.3.6
otrs/otrs
3.3.7
otrs/otrs
3.3.8
otrs/otrs
3.3.9
... and 29 more
Published
Sep 21, 2017
Tracked Since
Feb 18, 2026