← back
CVE-2021-36097

Agents are able to lock the ticket without the "Owner" permission

CVSS 3.5 LOWEPSS 0.5%CWE-266
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Affected products
OTRS AG · OTRS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://otrs.com/release-notes/otrs-security-advisory-2021-20/