CVE-2023-2534— Information disclouse and DoS via websocket push events

Information disclouse and DoS via websocket push events

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

授权机制不恰当

OTRS 安全漏洞

OTRS是德国OTRS公司的一个应用软件。一个服务管理软件。 OTRS AG OTRS 8存在安全漏洞。攻击者利用该漏洞跟踪用户行为并实时了解整体系统使用情况。

N/A

N/A