{"id":"CVE-2024-23792","details":"When adding attachments to ticket comments, \nanother user can add attachments as well impersonating the orginal user. The attack requires a \nlogged-in other user to know the UUID. While the legitimate user \ncompletes the comment, the malicious user can add more files to the \ncomment.\n\nThis issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n","modified":"2026-03-14T12:31:11.970391Z","published":"2024-01-29T10:15:08.683Z","references":[{"type":"ADVISORY","url":"https://otrs.com/release-notes/otrs-security-advisory-2024-03/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23792.json","unresolved_ranges":[{"events":[{"introduced":"7.0.0"},{"fixed":"7.0.49"}]},{"events":[{"introduced":"8.0.0"},{"fixed":"2024.1.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}