ad-password arrow-down-ring arrow-left arrow-right auto-select cog customer-id excel-statistics external-link featured github icn-admin icn-developer icn-evaluierung icn-installation icn-keyuser icn-konzeptionierung icn-master icn-performance icn-review last-contact linkedin map-person messages multi-upload no-eye out-of-office password-guidlines pending-time phone plus proxy-support quick-close search service-catalog setting-search shield sugarcrm-integration tag-cloud ticket-create twitter watch-arrow watchlist xing

ZSA-2020-09

Session ID, password and password reset token security issue

Problem

A logged in user can guess session IDs, password reset tokens and generated passwords of other users/sessions.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Workaround

The official fix for this issue changes 60 files in OTRS. Therefore, there is no workaround. Your OTRS installation must be updated to version 6.0.27 or 5.0.42.

ATTENTION: Please check if you have any files in your OTRS installation that have been changed by additional add-ons. In that case you MUST NOT update your OTRS. Please contact us instead.

References