CVE-2024-23794

Name of the Vulnerable Software and Affected Versions OTRS versions 8.0.X OTRS versions 2023.X OTRS versions from 2024.X through 2024.4.x

Description An incorrect privilege assignment vulnerability in the inline editing functionality can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. The issue arises when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.

Recommendations For OTRS versions 8.0.X, consider disabling the inline editing functionality until a patch is available. For OTRS versions 2023.X, restrict access to the 'AgentFrontend::Ticket::InlineEditing::Property###Watch' setting in the system configuration to minimize the risk of exploitation. For OTRS versions from 2024.X through 2024.4.x, avoid using the 'RequiredLock' setting of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.