Unrated severityNVD Advisory· Published Mar 18, 2011· Updated Jun 16, 2026
CVE-2009-5055
CVE-2009-5055
Description
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2.
Affected products
92cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*+ 91 more
- cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*range: <=2.4.3
- cpe:2.3:a:otrs:otrs:0.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta5:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta6:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta7:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:0.5:beta8:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.2:*:*:*:*:*:*:*
- (no CPE)range: <2.4.4
Patches
Vulnerability mechanics
References
2- source.otrs.org/viewvc.cgi/otrs/CHANGESnvdExploitPatch
- bugs.otrs.org/show_bug.cginvd
News mentions
0No linked articles in our index yet.