CVE-2010-4768 Information

Description

Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions.

Reference

http://bugs.otrs.org/show_bug.cgi?id=3499 http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807