{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2020-1767","assignerOrgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","assignerShortName":"OTRS","dateUpdated":"2024-09-16T16:33:51.552Z","dateReserved":"2019-11-29T00:00:00.000Z","datePublished":"2020-01-10T15:09:00.608Z"},"containers":{"cna":{"title":"Possible to send drafted messages as wrong agent","datePublic":"2020-01-10T00:00:00.000Z","providerMetadata":{"orgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","shortName":"OTRS","dateUpdated":"2023-08-31T02:07:04.665Z"},"descriptions":[{"lang":"en","value":"Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions."}],"affected":[{"vendor":"OTRS AG","product":"((OTRS)) Community Edition","versions":[{"version":"6.0.x version 6.0.24 and prior versions","status":"affected"}]},{"vendor":"OTRS AG","product":"OTRS","versions":[{"version":"7.0.x version 7.0.13 and prior versions","status":"affected"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2020-03/"},{"name":"[debian-lts-announce] 20200129 [SECURITY] [DLA 2079-1] otrs2 security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html"},{"name":"[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW"}}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"Sender spoofing"}]}],"x_generator":{"engine":"Vulnogram 0.0.9"},"source":{"advisory":"OSA-2020-03","defect":["2019121042000738"],"discovery":"USER"},"solutions":[{"lang":"en","value":"Upgrade to OTRS 7.0.14, ((OTRS)) Community Edition 6.0.25"},{"lang":"en","value":"Patch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570"}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T06:46:30.861Z"},"title":"CVE Program Container","references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2020-03/","tags":["x_transferred"]},{"name":"[debian-lts-announce] 20200129 [SECURITY] [DLA 2079-1] otrs2 security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html"},{"name":"[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}]}]}}