CVE-2019-18179
Description
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OTRS agents can list tickets of other agents without proper queue permissions in versions before the fixed releases.
Vulnerability
An authorization bypass issue exists in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, Community Edition 5.0.x through 5.0.38, and 6.0.x through 6.0.23. An agent logged into OTRS can enumerate tickets assigned to other agents, even for queues where the attacker lacks explicit read permissions [1].
Exploitation
The attacker must be authenticated as an OTRS agent. No special privilege or queue access is required beyond standard agent login. The attacker can craft requests or use the interface to list tickets belonging to other agents, bypassing the intended queue-based access controls [1].
Impact
An authenticated attacker gains unauthorized read access to ticket data (including subject, body, and metadata) assigned to other agents, regardless of queue permissions. This leads to information disclosure of potentially sensitive customer or internal data. No write or modification capabilities are indicated [1].
Mitigation
OTRS recommends upgrading to OTRS 7.0.13 or later (for the 7.0.x line), OTRS Community Edition 6.0.24 or later (for 6.0.x), or OTRS Community Edition 5.0.39 or later (for 5.0.x). OTRS 6.x Community Edition is end-of-life and no longer receives security updates; users should migrate to the current supported OTRS version [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- OTRS/Open Ticket Request Systemdescription
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2020/01/msg00000.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/mitre
News mentions
0No linked articles in our index yet.