ad-password arrow-down-ring arrow-left arrow-right auto-select cog customer-id excel-statistics external-link featured github icn-admin icn-developer icn-evaluierung icn-installation icn-keyuser icn-konzeptionierung icn-master icn-performance icn-review last-contact linkedin map-person messages multi-upload no-eye out-of-office password-guidlines pending-time phone plus proxy-support quick-close search service-catalog setting-search shield sugarcrm-integration tag-cloud ticket-create twitter watch-arrow watchlist xing

ZSA-2018-08

Privilege escalation using HTML Form-Params

Problem

An attacker can modify unprotected agents and customer-user attributes using special HTML form parameters.

Workaround

As a workaround, you can replace the affected files.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Download

References