CVE-2024-23792

Name of the Vulnerable Software and Affected Versions OTRS versions 7.0.X through 7.0.48 OTRS versions 8.0.X through 8.0.37 OTRS versions 2023.X through 2023.1.1

Description The issue is related to the handling of attachments in ticket comments, allowing another user to add attachments impersonating the original user. This requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. The attack exploits weaknesses in the authentication procedure.

Recommendations For OTRS versions 7.0.X through 7.0.48, update to a version outside of this range to resolve the issue. For OTRS versions 8.0.X through 8.0.37, update to a version outside of this range to resolve the issue. For OTRS versions 2023.X through 2023.1.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the attachment feature in ticket comments until a patch is available.