Description
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://otrs.com/release-notes/otrs-security-advisory-2021-20/
Scores
CVSS v3
3.5
EPSS
0.0051
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-266
Status
published
Products (1)
otrs/otrs
8.0.0 - 8.0.16
Published
Oct 18, 2021
Tracked Since
Feb 18, 2026