OTRS ticket system: Attackers can view unencrypted passwords
The developers of the Open Ticket Request System have closed several security gaps.
Admins who supervise helpdesks with the Open Ticket Request System (OTRS) should install the latest versions of the ticket system software for security reasons.
Closed gaps
In the OTRS Security Center, the developers list three security vulnerabilities that have now been closed. The most dangerous is a password vulnerability (CVE-2024-4344"high"). Under certain conditions, such as when debugging for the authentication backend is active, attackers can view customers' plain text passwords in the OTRS admin log module, among other things.
In addition, two persistent XSS attacks are possible (CVE-2024-43442"medium", CVE-2024-43443"medium"), which target admins. However, attackers must already have admin rights for this.
The developers state that they have resolved the security issues in OTRS versions 2024.6.x and 7.0.51.
(des)