Tobias Kirchner

Name of the Vulnerable Software and Affected Versions: Open Ticket Request System (OTRS) versions 7.0.x through 7.0.8 Description: An issue was discovered in Open Ticket Request System (OTRS) where a customer user can use the search results to disclose information from their "company" tickets, even when the CustomerDisableCompanyTicketAccess setting is turned on. This allows access to tickets with the same CustomerID. Recommendations: For versions 7.0.x through 7.0.8, consider disabling the search function for customer users until a patch is available, or adjust the CustomerDisableCompanyTicketAccess setting to restrict access to company tickets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.