{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23793", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2024-01-22T10:32:00.704Z", "datePublished": "2024-06-06T18:06:58.805Z", "dateUpdated": "2024-08-01T23:13:07.327Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["File Upload"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "7.0.49", "status": "affected", "version": "7.0.x", "versionType": "Patch"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"lessThanOrEqual": "2024.3.2", "status": "affected", "version": "2024.x", "versionType": "Patch"}]}, {"defaultStatus": "affected", "product": "((OTRS)) Community Edition", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "6.0.34", "status": "affected", "version": "6.0.1", "versionType": "All"}]}], "datePublic": "2024-06-03T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.<br><p>This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.</p>"}], "value": "The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.\nThis issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n"}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "CAPEC-17 Using Malicious Files"}]}, {"capecId": "CAPEC-549", "descriptions": [{"lang": "en", "value": "CAPEC-549 Local Execution of Code"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2024-06-06T18:06:58.805Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-05/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS&nbsp;2024.4.3 or OTRS 7.0.50 (extended support only)<br>"}], "value": "Update to OTRS\u00a02024.4.3 or OTRS 7.0.50 (extended support only)\n"}], "source": {"advisory": "OSA-2024-05", "defect": ["Issue#2411"], "discovery": "INTERNAL"}, "title": "Upload of files outside application directory", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "otrs", "product": "otrs", "cpes": ["cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "7.0.x", "status": "affected", "lessThan": "7.0.49", "versionType": "custom"}, {"version": "8.0.x", "status": "affected"}, {"version": "2023.x", "status": "affected"}, {"version": "2024.x", "status": "affected", "lessThan": "2024.3.2", "versionType": "custom"}]}, {"vendor": "otrs", "product": "otrs_community_edition", "cpes": ["cpe:2.3:a:otrs:otrs_community_edition:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "6.0.1", "status": "affected", "lessThan": "6.0.34", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T20:07:44.167335Z", "id": "CVE-2024-23793", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T20:22:49.508Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:07.327Z"}, "title": "CVE Program Container", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-05/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23793", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2024-01-22T10:32:00.704Z", "datePublished": "2024-06-06T18:06:58.805Z", "dateUpdated": "2024-06-06T20:22:49.508Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["File Upload"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "7.0.49", "status": "affected", "version": "7.0.x", "versionType": "Patch"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"lessThanOrEqual": "2024.3.2", "status": "affected", "version": "2024.x", "versionType": "Patch"}]}, {"defaultStatus": "affected", "product": "((OTRS)) Community Edition", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "6.0.34", "status": "affected", "version": "6.0.1", "versionType": "All"}]}], "datePublic": "2024-06-03T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.<br><p>This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.</p>"}], "value": "The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.\nThis issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n"}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "CAPEC-17 Using Malicious Files"}]}, {"capecId": "CAPEC-549", "descriptions": [{"lang": "en", "value": "CAPEC-549 Local Execution of Code"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2024-06-06T18:06:58.805Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-05/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS&nbsp;2024.4.3 or OTRS 7.0.50 (extended support only)<br>"}], "value": "Update to OTRS\u00a02024.4.3 or OTRS 7.0.50 (extended support only)\n"}], "source": {"advisory": "OSA-2024-05", "defect": ["Issue#2411"], "discovery": "INTERNAL"}, "title": "Upload of files outside application directory", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23793", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T20:07:44.167335Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*"], "vendor": "otrs", "product": "otrs", "versions": [{"status": "affected", "version": "7.0.x", "lessThan": "7.0.49", "versionType": "custom"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x", "lessThan": "2024.3.2", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:otrs:otrs_community_edition:*:*:*:*:*:*:*:*"], "vendor": "otrs", "product": "otrs_community_edition", "versions": [{"status": "affected", "version": "6.0.1", "lessThan": "6.0.34", "versionType": "custom"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T20:22:13.823Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.\nThis issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n"}, {"lang": "es", "value": "La funci\u00f3n de carga de archivos en OTRS y ((OTRS)) Community Edition tiene una vulnerabilidad de path traversal. Este problema permite que agentes autenticados o usuarios de clientes carguen archivos potencialmente da\u00f1inos en directorios a los que puede acceder el servidor web, lo que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo local como scripts Perl. Este problema afecta a OTRS: desde 7.0.X hasta 7.0.49, 8.0.X, 2023.X, desde 2024.X hasta 2024.3.2; ((OTRS)) Edici\u00f3n comunitaria: desde 6.0.1 hasta 6.0.34."}], "id": "CVE-2024-23793", "lastModified": "2024-06-07T14:56:05.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2024-06-06T19:15:52.373", "references": [{"source": "security@otrs.com", "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-05/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@otrs.com", "type": "Secondary"}]}

{}