Vigil@nce - OTRS Help Desk: read-write access via GenericInterface
December 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can bypass access restrictions of
GenericInterface of OTRS Help Desk, in order to read or alter data.
Impacted products: OTRS Help Desk
Severity: 2/4
Creation date: 16/12/2014
DESCRIPTION OF THE VULNERABILITY
The OTRS Help Desk product manages tickets, reachable via the
GenericInterface interface.
However, GenericInterface does not check if an attacker tries to
access to the ticket of another user.
An authenticated attacker can therefore bypass access restrictions
of GenericInterface of OTRS Help Desk, in order to read or alter
data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OTRS-Help-Desk-read-write-access-via-GenericInterface-15819