VYPR
Get started
← All advisories
High severity8.8NVD Advisory· Published Dec 8, 2017· Updated May 13, 2026

CVE-2017-16921

CVE-2017-16921

Description

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.

Affected products

70
  • OTRS/Otrs67 versions
    cpe:2.3:a:otrs:otrs:4.0.1:*:*:*:*:*:*:*+ 66 more
    • cpe:2.3:a:otrs:otrs:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:5.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:otrs:otrs:6.0.1:*:*:*:*:*:*:*
  • Debian/Debian Linux3 versions
    cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.