CVE-2024-6540

MEDIUM

OTRS <2024.4.x - Info Disclosure

Title source: llm

Description

Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x

References (1)

[Vendor Advisory] https://otrs.com/release-notes/otrs-security-advisory-2024-07/

Scores

CVSS v3 5.7

EPSS 0.0044

EPSS Percentile 63.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-790

Status published

Affected Products (1)

otrs/otrs < 2024.5.2

Timeline

Published Jul 15, 2024

Tracked Since Feb 18, 2026