CVE-2019-13458
Description
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OTRS notification tags allow authenticated agents to disclose hashed passwords in versions 7.0.x to 7.0.8, 5.0.x to 5.0.36, and 6.0.x to 6.0.19.
Vulnerability
An issue in Open Ticket Request System (OTRS) allows an authenticated agent with appropriate permissions to leverage OTRS notification tags in templates to disclose hashed user passwords. Affected versions include OTRS 7.0.x through 7.0.8, Community Edition 5.0.x through 5.0.36, and Community Edition 6.0.x through 6.0.19 [1].
Exploitation
An attacker must be logged into OTRS as an agent user with the necessary permissions. By crafting or modifying notification templates using OTRS notification tags, the attacker can extract hashed password values. The exact sequence of steps is not detailed in the available references, but the vulnerability is triggered through template manipulation [1].
Impact
Successful exploitation results in the disclosure of hashed user passwords. While the passwords are hashed, an attacker could attempt offline cracking to recover plaintext passwords, potentially leading to unauthorized access to other accounts or systems. The impact is primarily information disclosure of sensitive credential hashes [1].
Mitigation
For OTRS 7.0.x, upgrade to version 7.0.9 or later if available. For Community Edition 5.0.x and 6.0.x, note that 6.x is end-of-life and no longer receives security fixes; users should migrate to the current OTRS platform. The advisory [1] recommends upgrading to the latest supported version to address this vulnerability.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- OTRS/Open Ticket Request Systemdescription
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/mitre
- lists.debian.org/debian-lts-announce/2019/08/msg00018.htmlmitre
- www.otrs.com/category/release-and-security-notes-en/mitre
News mentions
0No linked articles in our index yet.