PT-2022-13199 · Unknown · Otrscustomcontactfields

Published

2022-02-07

Updated

2022-02-25

CVE-2022-0474

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions OTRSCustomContactFields versions 8.0.11 and prior versions.

Description The issue allows the full list of recipients from customer users in a contact field to be disclosed in notification emails, even when the notification is set to be sent to each recipient individually.

Recommendations For versions 8.0.11 and prior, consider disabling the notification feature that sends emails to each recipient individually until a fix is available. Restrict access to the contact field to minimize the risk of recipient disclosure.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2022-0474

Affected Products

Otrscustomcontactfields

PT-2022-13199 · Unknown · Otrscustomcontactfields

CVE-2022-0474

Weakness Enumeration

Related Identifiers

Affected Products

References · 4