Total
117 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-14635 | 1 Otrs | 1 Otrs | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. | |||||
CVE-2017-15864 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-10-02 | 4.0 MEDIUM | 8.8 HIGH |
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. | |||||
CVE-2017-9324 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. | |||||
CVE-2019-10066 | 1 Otrs | 1 Otrs | 2019-05-22 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS. | |||||
CVE-2017-16664 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-05-08 | 6.5 MEDIUM | 8.8 HIGH |
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. | |||||
CVE-2017-16854 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2019-04-29 | 4.0 MEDIUM | 6.5 MEDIUM |
In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. | |||||
CVE-2018-20800 | 1 Otrs | 1 Otrs | 2019-03-18 | 5.5 MEDIUM | 6.5 MEDIUM |
An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13. Users updating to 6.0.13 (also patchlevel updates) or 5.0.31 (only major updates) will experience data loss in their agent preferences table. | |||||
CVE-2019-9751 | 1 Otrs | 1 Otrs | 2019-03-15 | 3.5 LOW | 4.8 MEDIUM |
An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm. | |||||
CVE-2008-1515 | 1 Otrs | 1 Otrs | 2018-10-31 | 6.4 MEDIUM | N/A |
The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks." | |||||
CVE-2014-2554 | 2 Opensuse, Otrs | 2 Opensuse, Otrs | 2018-10-30 | 4.3 MEDIUM | N/A |
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. | |||||
CVE-2007-2524 | 1 Otrs | 1 Otrs | 2018-10-16 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841. | |||||
CVE-2012-4751 | 1 Otrs | 1 Otrs | 2018-08-13 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element. | |||||
CVE-2012-4600 | 1 Otrs | 2 Otrs, Otrs Itsm | 2018-08-13 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags. | |||||
CVE-2018-10198 | 1 Otrs | 1 Otrs | 2018-07-31 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets. | |||||
CVE-2018-7567 | 1 Otrs | 1 Otrs | 2018-03-29 | 9.0 HIGH | 7.2 HIGH |
** DISPUTED ** In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verified by OTRS Group", and "there is the possibility and responsibility of an admin to check packages before installation which is possible as they are not binary." | |||||
CVE-2017-9299 | 1 Otrs | 1 Otrs | 2017-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. NOTE: this CVE may have limited relevance because it represents a 2017 discovery of an issue in software from 2014. The 3.3.20 release, for example, is not affected. | |||||
CVE-2011-2385 | 1 Otrs | 2 Iphonehandle, Otrs | 2017-08-28 | 6.5 MEDIUM | N/A |
The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors. | |||||
CVE-2011-1433 | 1 Otrs | 1 Otrs | 2017-08-16 | 5.0 MEDIUM | N/A |
The (1) AgentInterface and (2) CustomerInterface components in Open Ticket Request System (OTRS) before 3.0.6 place cleartext credentials into the session data in the database, which makes it easier for context-dependent attackers to obtain sensitive information by reading the _UserLogin and _UserPW fields. | |||||
CVE-2011-1518 | 1 Otrs | 1 Otrs | 2017-08-16 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2010-2080 | 1 Otrs | 1 Otrs | 2017-08-16 | 3.5 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |