CVE-2023-2534

EPSS 0.11%
Veröffentlicht 08.05.2023 08:15:43
Zuletzt bearbeitet 21.11.2024 07:58:47
Quelle security@otrs.com
CVE-Watchlists
Login
Unerledigt
Login

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via
ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation
and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Otrs ≫ Otrs Version >= 8.0.0 < 8.0.32

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.291

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
security@otrs.com	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://otrs.com/release-notes/otrs-security-advisory-2023-03/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-2534

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2534

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2534

EUVD