CVE-2009-5056

Description

Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list.

How to fix CVE-2009-5056

To remediate CVE-2009-5056, upgrade the affected package to a fixed version below.

• Debian/otrs2—upgrade to 2.4.5-1 or later

Is CVE-2009-5056 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.4.5-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-5056