CVE-2024-43446: Improper check of permissions in Generic Interface

3.5 CVSS

Description

An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions.

This issue affects:

* OTRS 7.0.X

* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X

* ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Classification

CVE ID: CVE-2024-43446

CVSS Base Severity: LOW

CVSS Base Score: 3.5

Affected Products

Vendor: OTRS AG

Product: OTRS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-25 (when was this score calculated)

References

https://otrs.com/release-notes/otrs-security-advisory-2025-02/

Timeline

2025-01-28 00:30:21 UTC
CVE

Improper check of permissions in Generic Interface