Unrated severityNVD Advisory· Published Mar 27, 2020· Updated Sep 16, 2024

Session / Password / Password token leak

CVE-2020-1773

Description

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OTRS session IDs and password reset tokens are predictable, enabling session hijacking and password reset attacks.

Vulnerability

The vulnerability lies in the insufficient entropy of session IDs and password reset tokens in OTRS. This affects ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions, and OTRS 7.0.15 and prior versions [1].

Exploitation

An attacker who can generate session IDs or password reset tokens, either by authenticating or by exploiting another vulnerability (OSA-2020-09), can predict tokens of other users. No additional user interaction is required beyond the initial generation [1].

Impact

Successful exploitation allows the attacker to hijack active sessions, reset passwords, and generate predictable passwords for other users. This compromises both confidentiality and integrity, with a CVSS score of 7.3 (HIGH) [1].

Mitigation

Fixed versions are OTRS 7.0.16, ((OTRS)) Community Edition 6.0.27, and 5.0.42. Patches are available via the OTRS GitHub repository. No workarounds are documented [1].

References

OTRS Security Advisory 2020-10

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

OTRS/Otrsllm-fuzzy2 versions
<=7.0.15+ 1 more
- (no CPE)range: <=7.0.15
- (no CPE)range: 7.0.15 and prior
Tuleap/Community Editionllm-fuzzy
Range: <=5.0.41, <=6.0.26
osv-coords5 versions
pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2 pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015 pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1 pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
OTRS AG/((OTRS)) Community Editionv5
Range: 5.0.41 and prior

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
otrs.com/release-notes/otrs-security-advisory-2020-10/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000