Strix
26.1K

CVE-2024-23794

HIGHCVSS 7.5/10EPSS 0.27%

Last modified

CVE-2024-23794 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. EPSS estimates a 0.27% chance of exploitation in the next 30 days.

Description

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:  * 8.0.X * 2023.X * from 2024.X through 2024.4.x

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.27%

18.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OtrsOtrs>= 8.0.0, < 2024.5.2

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-23794?
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:  * 8.0.X * 2023.X * from 2024.X through 2024.4.x
How severe is CVE-2024-23794?
CVE-2024-23794 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.27% probability of exploitation in the next 30 days.
How do I fix CVE-2024-23794?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-23794?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST