CVE-2009-5055
EPSS 0.10%
Description
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2.
How to fix CVE-2009-5055
To remediate CVE-2009-5055, upgrade the affected package to a fixed version below.
- Debian/otrs2—upgrade to 2.4.5-1 or later
Is CVE-2009-5055 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.4.5-1