{"id":"UBUNTU-CVE-2024-23792","details":"When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.","modified":"2026-05-20T16:08:46.045163827Z","published":"2024-01-29T10:15:00Z","upstream":["CVE-2024-23792"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-23792"},{"type":"REPORT","url":"https://otrs.com/release-notes/otrs-security-advisory-2024-03/"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-23792"}],"affected":[{"package":{"name":"otrs2","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/otrs2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.0.10-1","5.0.1-1","5.0.1-2","5.0.2-1","5.0.3-1","5.0.5-1","5.0.6-1","5.0.7-1"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs","binary_version":"5.0.7-1"},{"binary_name":"otrs2","binary_version":"5.0.7-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}},{"package":{"name":"otrs2","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/otrs2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.0.23-1","5.0.24-1","6.0.1-1","6.0.2-1","6.0.3-1","6.0.4-1","6.0.5-1"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs","binary_version":"6.0.5-1"},{"binary_name":"otrs2","binary_version":"6.0.5-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}},{"package":{"name":"otrs2","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/otrs2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.0.20-1","6.0.23-2","6.0.24-1","6.0.25-1","6.0.25-2","6.0.25-3","6.0.26-1"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs","binary_version":"6.0.26-1"},{"binary_name":"otrs2","binary_version":"6.0.26-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}},{"package":{"name":"otrs2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/otrs2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.0.32-6","6.1.2-1","6.2.1-1","6.2.2-2"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs2","binary_version":"6.2.2-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}},{"package":{"name":"znuny","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/znuny?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.5.3-1","6.5.4-1","6.5.5-1","6.5.6-1"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs2","binary_version":"6.5.6-1"},{"binary_name":"znuny","binary_version":"6.5.6-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}},{"package":{"name":"znuny","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/znuny?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.5.14-1","6.5.15-2"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs2","binary_version":"6.5.15-2"},{"binary_name":"znuny","binary_version":"6.5.15-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}},{"package":{"name":"znuny","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/znuny?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.5.15-2","6.5.18-1"],"ecosystem_specific":{"binaries":[{"binary_name":"otrs2","binary_version":"6.5.18-1"},{"binary_name":"znuny","binary_version":"6.5.18-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-23792.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}