CVE-2024-23790 (GCVE-0-2024-23790)

Vulnerability from cvelistv5 – Published: 2024-01-29 09:21 – Updated: 2025-06-17 21:29
VLAI?
Title
Missing file type check in avatar picture upload
Summary
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.
Severity ?
3.5 (Low)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
OTRS AG OTRS Affected: 8.0.x , ≤ 8.0.37 (Patch)
Affected: 2023 , ≤ 2023.1.1 (Patch)
Affected: 7.0.x , ≤ 7.0.48 (Patch)
Create a notification for this product.
Credits
Special thanks to Matthias Püschel for reporting these vulnerability.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:13:07.512Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-01/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-23790",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-29T13:20:27.471691Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T21:29:17.700Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Agent Interface",
            "External Interface"
          ],
          "product": "OTRS",
          "vendor": "OTRS AG",
          "versions": [
            {
              "lessThanOrEqual": "8.0.37",
              "status": "affected",
              "version": "8.0.x",
              "versionType": "Patch"
            },
            {
              "lessThanOrEqual": "2023.1.1",
              "status": "affected",
              "version": "2023",
              "versionType": "Patch"
            },
            {
              "lessThanOrEqual": "7.0.48",
              "status": "affected",
              "version": "7.0.x",
              "versionType": "Patch"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Special thanks to Matthias P\u00fcschel for reporting these vulnerability."
        }
      ],
      "datePublic": "2024-01-29T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\u003cbr\u003e\u003cp\u003eThis issue affects OTRS:  from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\nThis issue affects OTRS:  from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-212",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-212 Functionality Misuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-29T09:21:14.996Z",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-01/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eUpdate to OTRS Patch 2024.1.1\u003c/div\u003e\u003cdiv\u003eUpdate to OTRS 7.0.49 (Long Term Support Users)\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "Update to OTRS Patch 2024.1.1\n\nUpdate to OTRS 7.0.49 (Long Term Support Users)\n\n"
        }
      ],
      "source": {
        "advisory": "OSA-2024-01",
        "defect": [
          "Ticket#2023083042000825",
          "Issue#1306"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Missing file type check in avatar picture upload",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2024-23790",
    "datePublished": "2024-01-29T09:21:14.996Z",
    "dateReserved": "2024-01-22T10:32:00.704Z",
    "dateUpdated": "2025-06-17T21:29:17.700Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.49\", \"matchCriteriaId\": \"4E47E75A-C9A9-40EE-A5DE-B4CDD98E7B7F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"2024.1.1\", \"matchCriteriaId\": \"3B9B2075-4C3E-48C9-96DA-655E4F29325A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\\nThis issue affects OTRS:  from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de validaci\\u00f3n de entrada incorrecta en la funcionalidad de carga de avatares de usuarios permite un mal uso de la funcionalidad debido a la falta de verificaci\\u00f3n de los tipos de archivos. Este problema afecta a OTRS: desde 7.0.X hasta 7.0.48, desde 8.0.X hasta 8.0.37, desde 2023 hasta 2023.1.1.\"}]",
      "id": "CVE-2024-23790",
      "lastModified": "2024-11-21T08:58:25.423",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@otrs.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-01-29T10:15:08.263",
      "references": "[{\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2024-01/\", \"source\": \"security@otrs.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2024-01/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@otrs.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@otrs.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-354\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-23790\",\"sourceIdentifier\":\"security@otrs.com\",\"published\":\"2024-01-29T10:15:08.263\",\"lastModified\":\"2024-11-21T08:58:25.423\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.\\nThis issue affects OTRS:  from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de validaci\u00f3n de entrada incorrecta en la funcionalidad de carga de avatares de usuarios permite un mal uso de la funcionalidad debido a la falta de verificaci\u00f3n de los tipos de archivos. Este problema afecta a OTRS: desde 7.0.X hasta 7.0.48, desde 8.0.X hasta 8.0.37, desde 2023 hasta 2023.1.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-354\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.49\",\"matchCriteriaId\":\"4E47E75A-C9A9-40EE-A5DE-B4CDD98E7B7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"2024.1.1\",\"matchCriteriaId\":\"3B9B2075-4C3E-48C9-96DA-655E4F29325A\"}]}]}],\"references\":[{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2024-01/\",\"source\":\"security@otrs.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2024-01/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.