It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
References
Link | Resource |
---|---|
https://otrs.com/release-notes/otrs-security-advisory-2020-09/ | Patch Vendor Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Information
Published : 2020-03-27 06:15
Updated : 2021-09-14 06:34
NVD link : CVE-2020-1772
Mitre link : CVE-2020-1772
JSON object : View
CWE
Products Affected
opensuse
- backports_sle
- leap
debian
- debian_linux
otrs
- otrs