Unrated severityNVD Advisory· Published Feb 21, 2020· Updated Aug 6, 2024

CVE-2013-3551

Description

Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OTRS and OTRS ITSM vulnerable to unauthorized ticket read via crafted URL in ticket split mechanism (CVE-2013-3551).

Vulnerability

A vulnerability in Kernel/Modules/AgentTicketPhone.pm allows an attacker with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism. Affected versions: OTRS 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7; OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 [1][2].

Exploitation

An attacker must have a valid agent login to OTRS. By crafting a specific URL in the ticket split mechanism, the attacker can access tickets that they are not permitted to see. The vulnerability lies in improper restriction of tickets during the split process [2].

Impact

Successful exploitation allows the attacker to read the contents of restricted tickets, leading to unauthorized information disclosure. The attacker gains access to sensitive data that should be protected by ticket permissions.

Mitigation

Fixed in OTRS versions 3.0.20, 3.1.16, and 3.2.7, and OTRS ITSM versions 3.0.8, 3.1.9, and 3.2.5. Users should upgrade to these patched versions. No workaround is known [1][2].

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

OTRS/Open Ticket Request Systemdescription
OTRS/Otrs Itsmllm-fuzzy
Range: 3.0.x < 3.0.8, 3.1.x < 3.1.9, 3.2.x < 3.2.5
OTRS/Otrsllm-fuzzy
Range: 3.0.x < 3.0.20, 3.1.x < 3.1.16, 3.2.x < 3.2.7
osv-coords
pkg:rpm/opensuse/otrs&distro=openSUSE%20Tumbleweed
Range: < 3.3.14-37.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

advisories.mageia.org/MGASA-2013-0196.htmlmitrex_refsource_MISC
bugs.gentoo.org/show_bug.cgimitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000