October 17, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: security@otrs.org
Security Advisory Details
- ID: OSA-2017-05
- Date: 2017-10-17
- Title: Vulnerability in OTRS Business Solution™ allows access to any active public chats
- Severity: 4.7 Medium
- Product: OTRS Business Solution™ 5.0.x, OTRS Business Solution™ 4.0.x
- Fixed in: OTRS Business Solution™ 5.0.21, OTRS Business Solution™ 4.0.8
- FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:U
- References:
Vulnerability Description
This advisory covers vulnerabilities discovered in the OTRS Business Solution™.
Privilege Escalation
An attacker could manipulate URL to access any active public chat, even if they are not a participant of it.
Affected by this vulnerability are all releases of OTRS Business Solution™ 5.0.x up to and including 5.0.20 and OTRS Business Solution™ 4.0.x up to and including 4.0.7.
This vulnerability is fixed in the latest versions of OTRS Business Solution™, and it is recommended to upgrade via the OTRS Business Solution™ management module in the admin area of OTRS.