rpm package

opensuse/otrs&distro=openSUSE Leap 15.1

pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1

Vulnerabilities (20)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2020-11022	Med	6.9		< 6.0.30-bp152.2.11.1	6.0.30-bp152.2.11.1	Apr 29, 2020	In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-11023		—	KEV	< 6.0.30-bp152.2.11.1	6.0.30-bp152.2.11.1	Apr 29, 2020	In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro
CVE-2020-1773		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 27, 2020	An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS
CVE-2020-1772		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 27, 2020	It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior
CVE-2020-1771		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 27, 2020	Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions.
CVE-2020-1770		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 27, 2020	Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVE-2020-1769		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 27, 2020	In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior version
CVE-2019-16375		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 19, 2020	An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string con
CVE-2019-13457		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 10, 2020	An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
CVE-2020-1766		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Jan 10, 2020	Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.
CVE-2020-1765		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Jan 10, 2020	An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x
CVE-2019-18179		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Jan 6, 2020	An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where
CVE-2019-18180		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Dec 5, 2019	Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community
CVE-2019-13458		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Aug 21, 2019	An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in template
CVE-2019-12746		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Aug 21, 2019	An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This
CVE-2019-12497		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Jun 17, 2019	An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclose
CVE-2019-12248		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Jun 17, 2019	An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could c
CVE-2019-9892		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	May 21, 2019	An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result
CVE-2019-10067		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	May 21, 2019	An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaS
CVE-2019-9752		—		< 5.0.42-bp151.3.3.1	5.0.42-bp151.3.3.1	Mar 13, 2019	An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the con

CVE-2020-11022MedApr 29, 2020
affected < 6.0.30-bp152.2.11.1fixed 6.0.30-bp152.2.11.1
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-11023KEVApr 29, 2020
affected < 6.0.30-bp152.2.11.1fixed 6.0.30-bp152.2.11.1
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro
CVE-2020-1773Mar 27, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS
CVE-2020-1772Mar 27, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior
CVE-2020-1771Mar 27, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions.
CVE-2020-1770Mar 27, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVE-2020-1769Mar 27, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior version
CVE-2019-16375Mar 19, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string con
CVE-2019-13457Mar 10, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
CVE-2020-1766Jan 10, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.
CVE-2020-1765Jan 10, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x
CVE-2019-18179Jan 6, 2020
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where
CVE-2019-18180Dec 5, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community
CVE-2019-13458Aug 21, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in template
CVE-2019-12746Aug 21, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This
CVE-2019-12497Jun 17, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclose
CVE-2019-12248Jun 17, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could c
CVE-2019-9892May 21, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result
CVE-2019-10067May 21, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaS
CVE-2019-9752Mar 13, 2019
affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the con