Filtered by vendor Otrs
Subscribe
Search
Total
17 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6254 | 1 Otrs | 1 Otrs | 2023-12-01 | N/A | 7.5 HIGH |
| A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37. | |||||
| CVE-2023-38060 | 1 Otrs | 1 Otrs | 2023-08-01 | N/A | 8.8 HIGH |
| Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2023-38056 | 1 Otrs | 1 Otrs | 2023-08-01 | N/A | 7.2 HIGH |
| Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2021-36100 | 1 Otrs | 3 Otrs, Otrs Itsm, Otrs Storm | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| Specially crafted string in OTRS system configuration can allow the execution of any system command. | |||||
| CVE-2020-1772 | 3 Debian, Opensuse, Otrs | 4 Debian Linux, Backports Sle, Leap and 1 more | 2021-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | |||||
| CVE-2013-4717 | 1 Otrs | 2 Otrs, Otrs Itsm | 2021-08-17 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. | |||||
| CVE-2021-21441 | 1 Otrs | 1 Otrs | 2021-06-29 | 4.3 MEDIUM | 7.5 HIGH |
| There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions. | |||||
| CVE-2017-16921 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2021-04-22 | 9.0 HIGH | 8.8 HIGH |
| In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user. | |||||
| CVE-2019-18180 | 1 Otrs | 1 Otrs | 2020-09-23 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. | |||||
| CVE-2020-1773 | 1 Otrs | 1 Otrs | 2020-09-23 | 5.5 MEDIUM | 8.1 HIGH |
| An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | |||||
| CVE-2017-9324 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. | |||||
| CVE-2017-17476 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. | |||||
| CVE-2017-15864 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-10-03 | 4.0 MEDIUM | 8.8 HIGH |
| In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. | |||||
| CVE-2018-14593 | 2 Debian, Otrs | 2 Debian Linux, Open Ticket Request System | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is logged into OTRS as an agent may escalate their privileges by accessing a specially crafted URL. | |||||
| CVE-2017-14635 | 1 Otrs | 1 Otrs | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. | |||||
| CVE-2017-16664 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-05-08 | 6.5 MEDIUM | 8.8 HIGH |
| Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. | |||||
| CVE-2018-7567 | 1 Otrs | 1 Otrs | 2018-03-29 | 9.0 HIGH | 7.2 HIGH |
| ** DISPUTED ** In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verified by OTRS Group", and "there is the possibility and responsibility of an admin to check packages before installation which is possible as they are not binary." | |||||