PT-2021-14508 · Otrs Ag · Otrs Ag Otrscisincustomerfrontend

Bernhard Lehr

Published

2021-02-08

Updated

2021-02-10

CVE-2021-21436

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions OTRS AG OTRSCIsInCustomerFrontend versions 7.0.14 and prior versions.

Description The issue allows agents to see and link Config Items without the necessary permissions, which are defined in the General Catalog.

Recommendations For OTRS AG OTRSCIsInCustomerFrontend versions 7.0.14 and prior versions, update to a version that includes the necessary permission checks to restrict access to Config Items. As a temporary workaround, consider restricting access to the General Catalog to minimize the risk of exploitation.

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-264

Related Identifiers

CVE-2021-21436

Affected Products

Otrs Ag Otrscisincustomerfrontend

PT-2021-14508 · Otrs Ag · Otrs Ag Otrscisincustomerfrontend

CVE-2021-21436

Weakness Enumeration

Related Identifiers

Affected Products

References · 7