CVE-2019-13457
Description
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OTRS 7.0.x before 7.0.9, a customer user can access company tickets via search results even when the CustomerDisableCompanyTicketAccess setting is enabled.
Vulnerability
An information disclosure vulnerability exists in Open Ticket Request System (OTRS) 7.0.x up to and including version 7.0.8. A customer user can abuse the search functionality to disclose information from tickets belonging to their "company" (sharing the same CustomerID), even when the administrator has explicitly disabled such access by enabling the CustomerDisableCompanyTicketAccess setting [1]. The affected releases are OTRS 7.0.0 through 7.0.8 [1].
Exploitation
An attacker must be an authenticated customer user with a valid account in the OTRS system. No special privileges beyond normal customer access are required. The attacker can perform a search query that returns results containing tickets from other users within the same CustomerID, bypassing the intended restriction imposed by the CustomerDisableCompanyTicketAccess setting. The exact steps are not detailed in the advisory, but the attacker simply uses the standard search interface while the setting is enabled [1].
Impact
A successful attack results in unauthorized information disclosure of ticket data belonging to the same company (same CustomerID). The impact is limited to read access of ticket details, with a CVSS v3 base score of 3.8 (Low) [1]. The confidentiality of ticket information is violated, while integrity and availability are not affected. The attacker does not gain any additional privileges or capabilities beyond reading company tickets [1].
Mitigation
The vulnerability is fixed in OTRS version 7.0.9, released on 2019-07-12 [1]. The advisory recommends upgrading to OTRS 7.0.9 or later. There is no known workaround for systems that cannot immediately upgrade. On-Premise customers can obtain the fixed version from the OTRS portal download area [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Open Ticket Request System/Open Ticket Request Systemdescription
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisoryx_refsource_SUSE
- otrs.com/release-notes/otrs-security-advisory-2019-11/mitrex_refsource_CONFIRM
- www.otrs.com/category/release-and-security-notes-en/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.