CVE-2019-12497

Vulnerability

The vulnerability resides in the external note functionality of Open Ticket Request System (OTRS) versions 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36 [1]. When an agent adds an external note visible to customers or external users, the system may inadvertently include the agent's personal information, such as name and email address, in the note content [1]. This occurs in the customer or external frontend interfaces, requiring the ticket to be configured to allow external notes [1].

Exploitation

An attacker with access to the customer or external frontend of an affected OTRS instance can exploit this by viewing tickets that contain external notes [1]. No special authentication beyond a standard external user account is necessary [1]. The attacker simply navigates to a ticket where an agent has added an external note, and the agent's personal information is disclosed within the note text [1]. No user interaction or race condition is required [1].

Impact

Successful exploitation leads to the unauthorized disclosure of personally identifiable information (PII) of agents, specifically their full name and email address [1]. This could aid in targeted phishing attacks or social engineering against OTRS agents [1]. The confidentiality of agent data is compromised, though no system integrity or availability is affected [1].

Mitigation

OTRS Community Edition 5.0.x and 6.0.x have reached end-of-life and are no longer receiving security updates [1]. Users of these versions should upgrade to the current OTRS platform, which is continuously maintained [1]. For OTRS 7.0.x, upgrading to version 7.0.9 or later addresses the issue [1]. The official advisory recommends applying the patch as soon as possible [1].