cve/2024/CVE-2024-23794.md

### [CVE-2024-23794](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23794)
![](https://img.shields.io/static/v1?label=Product&message=OTRS&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=2023.x%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2024.x%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=8.0.x%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-266%20Incorrect%20Privilege%20Assignment&color=brightgreen)

### Description

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:   *  8.0.X  *  2023.X  *  from 2024.X through 2024.4.x

### POC

#### Reference
- https://otrs.com/release-notes/otrs-security-advisory-2024-06/

#### Github
No PoCs found on GitHub currently.