CVE-2020-1767

NameCVE-2020-1767
DescriptionAgent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free6.0.16-2vulnerable
bullseye/non-free6.0.24-1vulnerable
sid/non-free6.0.25-2fixed
jessie3.3.18-1+deb8u4vulnerable
jessie (security)3.3.18-1+deb8u12vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)6.0.25-1

Notes

[buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
https://otrs.com/release-notes/otrs-security-advisory-2020-03/
https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570

Search for package or bug name: Reporting problems