VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 21, 2020· Updated Aug 6, 2024

CVE-2013-4088

CVE-2013-4088

Description

Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OTRS fails to restrict ticket access in AgentTicketWatcher.pm, allowing agents to read restricted tickets via crafted URLs.

Vulnerability

Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly verify permissions when using the ticket watch mechanism [1][2]. This allows an attacker with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism [2].

Exploitation

The attacker must have a valid agent login to the OTRS system [2]. By manipulating a URL in the ticket watch mechanism, the attacker can bypass permission checks and view tickets they are not authorized to see [1][2]. The exploit requires no additional privileges beyond a standard agent account.

Impact

Successful exploitation leads to unauthorized disclosure of ticket contents, including potentially sensitive information that should be restricted to the attacker's role [1][2]. The impact is limited to information disclosure; no modification or deletion of tickets is described.

Mitigation

Update to OTRS version 3.0.21, 3.1.17, or 3.2.8, which fix the permission check [1]. These versions were released by the vendor and are available from the OTRS website [1].

References
  1. Ticket Watch Mechanism Security Bypass Vulnerability (CVE-2013-4088)
  2. Mageia Advisory: MGASA-2013-0196 - Updated otrs package fixes security vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.