| Bug ID | 1168029 |
|---|---|
| Summary | VUL-0: CVE-2020-1772: otrs: Lost Password requests with wildcard values could allow attacker to retrieve valid Token |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.2 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/256040/ |
| OS | Other |
| Status | NEW |
| Severity | Minor |
| Priority | P5 - None |
| Component | Basesystem |
| Assignee | chris@computersalat.de |
| Reporter | abergmann@suse.com |
| QA Contact | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
CVE-2020-1772 It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1772 https://otrs.com/release-notes/otrs-security-advisory-2020-09/