CVE-2024-23790 - OpenCVE

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Otrs	Otrs

Configuration 1 [-]

OR	cpe:2.3:a:otrs:otrs::::::::
	cpe:2.3:a:otrs:otrs::::::::

No data.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2024-01/

History

No history.

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2024-01-29T09:21:14.996Z

Updated: 2024-08-01T23:13:07.512Z

Reserved: 2024-01-22T10:32:00.704Z

Link: CVE-2024-23790

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-29T10:15:08.263

Modified: 2024-02-02T02:07:58.653

Link: CVE-2024-23790

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23790", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2024-01-22T10:32:00.704Z", "datePublished": "2024-01-29T09:21:14.996Z", "dateUpdated": "2024-08-01T23:13:07.512Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["Agent Interface", "External Interface"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "8.0.37", "status": "affected", "version": "8.0.x", "versionType": "Patch"}, {"lessThanOrEqual": "2023.1.1", "status": "affected", "version": "2023", "versionType": "Patch"}, {"lessThanOrEqual": "7.0.48", "status": "affected", "version": "7.0.x", "versionType": "Patch"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Special thanks to Matthias P\u00fcschel for reporting these vulnerability."}], "datePublic": "2024-01-29T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.<br><p>This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.</p>"}], "value": "Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\nThis issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\n\n"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2024-01-29T09:21:14.996Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-01/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Update to OTRS Patch 2024.1.1</div><div>Update to OTRS 7.0.49 (Long Term Support Users)<br></div><div><br></div><br>"}], "value": "Update to OTRS Patch 2024.1.1\n\nUpdate to OTRS 7.0.49 (Long Term Support Users)\n\n"}], "source": {"advisory": "OSA-2024-01", "defect": ["Ticket#2023083042000825", "Issue#1306"], "discovery": "EXTERNAL"}, "title": "Missing file type check in avatar picture upload", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:07.512Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-01/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E47E75A-C9A9-40EE-A5DE-B4CDD98E7B7F", "versionEndExcluding": "7.0.49", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B9B2075-4C3E-48C9-96DA-655E4F29325A", "versionEndExcluding": "2024.1.1", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\nThis issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\n\n"}, {"lang": "es", "value": "Una vulnerabilidad de validaci\u00f3n de entrada incorrecta en la funcionalidad de carga de avatares de usuarios permite un mal uso de la funcionalidad debido a la falta de verificaci\u00f3n de los tipos de archivos. Este problema afecta a OTRS: desde 7.0.X hasta 7.0.48, desde 8.0.X hasta 8.0.37, desde 2023 hasta 2023.1.1."}], "id": "CVE-2024-23790", "lastModified": "2024-02-02T02:07:58.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2024-01-29T10:15:08.263", "references": [{"source": "security@otrs.com", "tags": ["Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-01/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-354"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@otrs.com", "type": "Secondary"}]}