Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
References
Link | Resource |
---|---|
https://otrs.com/release-notes/otrs-security-advisory-2021-20/ | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: OTRS
Published: 2021-10-18T00:00:00
Updated: 2021-10-18T07:00:13
Reserved: 2021-07-01T00:00:00
Link: CVE-2021-36097
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-10-18T07:15:07.413
Modified: 2022-10-27T13:04:41.940
Link: CVE-2021-36097
JSON object: View
Redhat Information
No data.