Unrated severityNVD Advisory· Published Mar 4, 2018· Updated Aug 5, 2024

CVE-2018-7567

Description

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verified by OTRS Group", and "there is the possibility and responsibility of an admin to check packages before installation which is possible as they are not binary.

Affected products

OTRS/Otrsinferred
Range: >=6.0.0,<=6.0.1
OTRS/Open Ticket Request System (OTRS)llm-fuzzy
Range: 5.0.0 - 5.0.24, 6.0.0 - 6.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

0day.today/exploit/29938mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000