CVE-2019-12746

Name of the Vulnerable Software and Affected Versions Open Ticket Request System (OTRS) Community Edition versions 5.0.x through 5.0.36 Open Ticket Request System (OTRS) Community Edition versions 6.0.x through 6.0.19

Description An issue was discovered where a user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be potentially abused in order to impersonate the agent user.

Recommendations For versions 5.0.x through 5.0.36, consider restricting access to embedded ticket articles to prevent unintended session ID disclosure. For versions 6.0.x through 6.0.19, consider implementing measures to protect session IDs from being shared or abused, such as using secure communication protocols or encrypting session identifiers.