{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43446", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2024-08-13T13:38:47.973Z", "datePublished": "2025-01-27T05:58:29.271Z", "dateUpdated": "2025-02-12T20:41:31.804Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Generic Interface"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"lessThan": "2025.1.x", "status": "affected", "version": "2025.x", "versionType": "Patch"}]}, {"defaultStatus": "affected", "product": "((OTRS)) Community Edition", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "6.0.34", "status": "affected", "version": "6.0.x", "versionType": "All"}]}], "datePublic": "2025-01-27T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. <br><p></p><p>This issue affects: </p><ul><li>OTRS 7.0.X<br></li><li>OTRS 8.0.X</li><li>OTRS 2023.X</li><li>OTRS 2024.X<br></li><li>((OTRS)) Community Edition: 6.0.x<br></li></ul><div>Products based on the ((OTRS)) Community Edition also very likely to be affected</div><br><p></p>"}], "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \n\nThis issue affects: \n\n * OTRS 7.0.X\n\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS 2024.X\n\n * ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2025-01-27T05:58:29.271Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2025-02/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches<br>"}], "value": "Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches"}], "source": {"advisory": "OSA-2025-02", "defect": ["Issue#3124", "Ticket#2024081942000891"], "discovery": "USER"}, "title": "Improper check of permissions in Generic Interface", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43446", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-27T13:36:20.253690Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:41:31.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43446", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-27T13:36:20.253690Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:36:35.059Z"}}], "cna": {"title": "Improper check of permissions in Generic Interface", "source": {"defect": ["Issue#3124", "Ticket#2024081942000891"], "advisory": "OSA-2025-02", "discovery": "USER"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OTRS AG", "modules": ["Generic Interface"], "product": "OTRS", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x", "lessThan": "2025.1.x", "versionType": "Patch"}], "defaultStatus": "affected"}, {"vendor": "OTRS AG", "product": "((OTRS)) Community Edition", "versions": [{"status": "affected", "version": "6.0.x", "versionType": "All", "lessThanOrEqual": "6.0.34"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches", "supportingMedia": [{"type": "text/html", "value": "Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches<br>", "base64": false}]}], "datePublic": "2025-01-27T08:00:00.000Z", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2025-02/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \n\nThis issue affects: \n\n * OTRS 7.0.X\n\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS 2024.X\n\n * ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected", "supportingMedia": [{"type": "text/html", "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. <br><p></p><p>This issue affects: </p><ul><li>OTRS 7.0.X<br></li><li>OTRS 8.0.X</li><li>OTRS 2023.X</li><li>OTRS 2024.X<br></li><li>((OTRS)) Community Edition: 6.0.x<br></li></ul><div>Products based on the ((OTRS)) Community Edition also very likely to be affected</div><br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2025-01-27T05:58:29.271Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43446", "state": "PUBLISHED", "dateUpdated": "2025-02-12T20:41:31.804Z", "dateReserved": "2024-08-13T13:38:47.973Z", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "datePublished": "2025-01-27T05:58:29.271Z", "assignerShortName": "OTRS"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \n\nThis issue affects: \n\n * OTRS 7.0.X\n\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS 2024.X\n\n * ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"}, {"lang": "es", "value": "Una vulnerabilidad de administraci\u00f3n de privilegios incorrecta en el m\u00f3dulo de interfaz gen\u00e9rica de OTRS permite cambiar el estado del ticket incluso si el usuario solo tiene permisos ro. Este problema afecta a: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Es muy probable que los productos basados ??en ((OTRS)) Community Edition tambi\u00e9n se vean afectados"}], "id": "CVE-2024-43446", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2025-01-27T06:15:24.033", "references": [{"source": "security@otrs.com", "url": "https://otrs.com/release-notes/otrs-security-advisory-2025-02/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@otrs.com", "type": "Secondary"}]}

{}

{}