{"id":"DEBIAN-CVE-2010-4768","details":"Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions.","modified":"2025-11-20T10:10:40.079686Z","published":"2011-03-18T16:55:01.703Z","upstream":["CVE-2010-4768"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2010-4768"}],"affected":[{"package":{"name":"otrs2","ecosystem":"Debian:11","purl":"pkg:deb/debian/otrs2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.5-1"}]}],"versions":["2.0.4p01-10","2.0.4p01-11","2.0.4p01-12","2.0.4p01-13","2.0.4p01-14","2.0.4p01-14.1","2.0.4p01-15","2.0.4p01-16","2.0.4p01-17","2.0.4p01-18","2.0.4p01-6","2.0.4p01-7","2.0.4p01-8","2.0.4p01-9","2.0.99beta1-1","2.0.99beta1-2","2.1.1-1","2.1.3-1","2.1.4-1","2.1.4-2","2.1.5-1","2.1.5-2","2.1.5-3","2.1.6-1","2.1.7-1","2.1.7-2","2.2.0~beta2-1","2.2.0~beta3-1","2.2.1-1","2.2.2-1","2.2.3-1","2.2.4-1","2.2.5-1","2.2.5-2","2.2.6-1","2.2.7-1","2.2.7-2","2.2.7-2lenny1","2.2.7-2lenny2","2.2.7-2lenny3","2.2.7-3","2.3.2-1","2.3.2-2","2.3.3-1","2.3.4-1","2.3.4-2","2.3.4-3","2.3.4-4","2.3.4-5","2.3.4-6","2.3.4-7"],"ecosystem_specific":{"urgency":"low"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2010-4768.json"}}],"schema_version":"1.7.3"}