CVE-2019-9892
Description
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated OTRS agents can read arbitrary files by importing a crafted Report Statistics XML file.
Vulnerability
An XML external entity (XXE) processing flaw exists in the Report Statistics XML import functionality of Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. When an agent user with appropriate permissions imports a specially crafted Report Statistics XML file, the parser does not properly disable external entity resolution, allowing the inclusion of external files from the filesystem [1].
Exploitation
An attacker must be logged into OTRS as an agent user with the necessary permissions to import Report Statistics XML files. The attacker crafts an XML document that defines an external entity pointing to a local file (e.g., /etc/passwd). Upon import, the OTRS XML parser resolves the entity and includes the file content in the resulting data [1]. No additional privileges or user interaction beyond the agent's existing permissions are required.
Impact
Successful exploitation allows the attacker to read arbitrary files from the OTRS server's filesystem. The file content is returned within the application's response or stored in a location accessible to the attacker, leading to disclosure of sensitive information such as configuration files, credentials, or other confidential data [1].
Mitigation
The issue is addressed in OTRS 5.0.35, 6.0.18, and 7.0.7 [1]. Users should upgrade to these or later versions immediately. OTRS 6.x is end-of-life and no longer receives security updates, so users on 6.x should migrate to a supported version [1]. No workaround is available if upgrading is not possible; the import functionality should be restricted to trusted users only.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- OTRS/Open Ticket Request Systemdescription
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisoryx_refsource_SUSE
- community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2019/05/msg00003.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.