The unprivileged user has currently the following rights:
But the user is still able to view all tickts from any user by
changing the ticket-id in the request url.
How can I fix this security issue, so that the user can only see his own
tickts?
The unprivileged user has currently the following rights:
- ReplyToTicket
- ShowTicket
- ModifySelf
At least in my testing of v3.6.1 ShowTicket turned out to be Show ANY
Ticket. 
What I did was set up the Requestor to have the ability to view their
own ticket. Go into Configuration, Global, Group Rites, scroll down to
Roles, Requestor - add ‘ShowTicket’. (and take it away from Everyone in
the Global or Queue setup where you put it).