SECURITY ADVISORY
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- April 18, 2024
- Security Patch Release
- HIGH
- OTOBO 10.1
OTOBO 10.0 - https://www.cve.org/CVERecord?id=CVE-2024-32491
Description
Problem
- Fixing a vulnerability that allowed authenticated users to exploit a path traversal vulnerability to perform code injection. The default configuration of OTOBO is not affected; this only applies to systems where the SysConfig ‘WebUploadCacheModule’ is set to ‘Kernel::System::Web::UploadCache::FS’. (CVE-2024-32491) [#3309].
Many thanks to Martino Spagnuolo for reporting the vulnerability.
Potential consequences
- Code Injection
Measures for Secure Operation
Update to OTOBO 10.0.21
A security patch update is available to fix the vulnerability. Please update your system.
Bug Fixes
- [Bugfix] Correction of the sorting so that the SysConfig search works correctly [#3277]
We are happy to answer your questions. Please contact us.
You are a support customer and need assistance with the security patch. Please contact us using the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
