Filtered by vendor Otrs
Subscribe
Total
133 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19142 | 1 Otrs | 1 Open Ticket Request System | 2018-12-12 | 3.5 LOW | 4.8 MEDIUM |
| Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin to conduct an XSS attack via a modified URL. | |||||
| CVE-2018-16587 | 2 Debian, Otrs | 2 Debian Linux, Open Ticket Request System | 2018-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to. | |||||
| CVE-2008-1515 | 1 Otrs | 1 Otrs | 2018-10-31 | 6.4 MEDIUM | N/A |
| The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks." | |||||
| CVE-2014-2554 | 2 Opensuse, Otrs | 2 Opensuse, Otrs | 2018-10-30 | 4.3 MEDIUM | N/A |
| OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. | |||||
| CVE-2007-2524 | 1 Otrs | 1 Otrs | 2018-10-16 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841. | |||||
| CVE-2012-4751 | 1 Otrs | 1 Otrs | 2018-08-13 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element. | |||||
| CVE-2012-4600 | 1 Otrs | 2 Otrs, Otrs Itsm | 2018-08-13 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags. | |||||
| CVE-2018-10198 | 1 Otrs | 1 Otrs | 2018-07-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets. | |||||
| CVE-2018-7567 | 1 Otrs | 1 Otrs | 2018-03-29 | 9.0 HIGH | 7.2 HIGH |
| ** DISPUTED ** In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verified by OTRS Group", and "there is the possibility and responsibility of an admin to check packages before installation which is possible as they are not binary." | |||||
| CVE-2017-9299 | 1 Otrs | 1 Otrs | 2017-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. NOTE: this CVE may have limited relevance because it represents a 2017 discovery of an issue in software from 2014. The 3.3.20 release, for example, is not affected. | |||||
| CVE-2011-2385 | 1 Otrs | 2 Iphonehandle, Otrs | 2017-08-28 | 6.5 MEDIUM | N/A |
| The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors. | |||||
| CVE-2011-1433 | 1 Otrs | 1 Otrs | 2017-08-16 | 5.0 MEDIUM | N/A |
| The (1) AgentInterface and (2) CustomerInterface components in Open Ticket Request System (OTRS) before 3.0.6 place cleartext credentials into the session data in the database, which makes it easier for context-dependent attackers to obtain sensitive information by reading the _UserLogin and _UserPW fields. | |||||
| CVE-2011-1518 | 1 Otrs | 1 Otrs | 2017-08-16 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2010-3476 | 1 Otrs | 1 Otrs | 2017-08-16 | 5.0 MEDIUM | N/A |
| Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080. | |||||
| CVE-2010-2080 | 1 Otrs | 1 Otrs | 2017-08-16 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2005-3895 | 1 Otrs | 1 Otrs | 2017-07-19 | 5.8 MEDIUM | N/A |
| Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML. NOTE: this particular issue is referred to as XSS by some sources. | |||||
| CVE-2005-3893 | 1 Otrs | 1 Otrs | 2017-07-19 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action. | |||||
| CVE-2005-3894 | 1 Otrs | 1 Otrs | 2017-07-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2) Action parameters. | |||||
| CVE-2016-9139 | 1 Otrs | 1 Otrs | 2017-02-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. | |||||
| CVE-2014-9324 | 1 Otrs | 1 Otrs Help Desk | 2017-01-02 | 6.0 MEDIUM | N/A |
| The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. | |||||