CVE-2019-12746
Description
An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An agent in OTRS Community Edition can unknowingly disclose their session ID by sharing a ticket article link, allowing impersonation.
Vulnerability
An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. The vulnerability arises because a user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties [1]. No special configuration is required beyond a standard agent account with the ability to access and share ticket article links.
Exploitation
An attacker does not need any prior authentication or special network position. The exploitation relies on a legitimate agent user sharing a link to a ticket article that embeds the session ID. The agent may do this inadvertently, for example by copying a URL from their browser or email client. Once the third party receives the link, they can extract the session ID and potentially use it to impersonate the agent.
Impact
On successful exploitation, the attacker can impersonate the agent user, gaining the same level of access within the OTRS system. This could lead to unauthorized viewing, modification, or deletion of tickets and customer data, resulting in confidentiality, integrity, and availability compromises. The exact scope depends on the agent's privileges [1].
Mitigation
The OTRS advisory recommends upgrading to the latest supported version. However, note that OTRS Community Edition 6.x is end-of-life and no longer maintained by OTRS, meaning no official security fixes are provided for that branch [1]. Users should migrate to a current supported release to receive security updates and avoid this vulnerability.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- OTRS/Open Ticket Request System Community Editiondescription
- Range: 5.0.0 - 5.0.36, 6.0.0 - 6.0.19
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/mitre
- lists.debian.org/debian-lts-announce/2019/08/msg00018.htmlmitre
- www.otrs.com/category/release-and-security-notes-en/mitre
News mentions
0No linked articles in our index yet.