Description
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/01/msg00000.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
Patch, Vendor Advisory
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
Scores
CVSS v3
4.3
EPSS
0.0040
EPSS Percentile
61.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
Status
published
Products (6)
debian/debian_linux
8.0
opensuse/backports_sle
15.0 (3 CPE variants)
opensuse/leap
15.1
opensuse/leap
15.2
otrs/otrs
5.0.0 - 5.0.38
otrs/otrs
7.0.0 - 7.0.12
Published
Jan 06, 2020
Tracked Since
Feb 18, 2026