rpm package
suse/otrs&distro=SUSE Package Hub 15 SP1
pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-11022 | Med | 6.9 | < 6.0.30-bp152.2.11.1 | 6.0.30-bp152.2.11.1 | Apr 29, 2020 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |
| CVE-2020-11023 | Med | 6.9 | KEV | < 6.0.30-bp152.2.11.1 | 6.0.30-bp152.2.11.1 | Apr 29, 2020 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro |
| CVE-2020-1773 | Hig | 7.3 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 27, 2020 | An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS | |
| CVE-2020-1772 | Med | 6.5 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 27, 2020 | It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior | |
| CVE-2020-1771 | Med | 4.6 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 27, 2020 | Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. | |
| CVE-2020-1770 | Low | 2.4 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 27, 2020 | Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | |
| CVE-2020-1769 | Low | 3.5 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 27, 2020 | In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior version | |
| CVE-2019-16375 | Med | 5.4 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 19, 2020 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string con | |
| CVE-2019-13457 | Med | 4.3 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 10, 2020 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on. | |
| CVE-2020-1766 | Low | 2.0 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Jan 10, 2020 | Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5. | |
| CVE-2020-1765 | Low | 3.5 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Jan 10, 2020 | An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x | |
| CVE-2019-18179 | Med | 4.3 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Jan 6, 2020 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where | |
| CVE-2019-18180 | Med | 5.3 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Dec 5, 2019 | Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community | |
| CVE-2019-13458 | Med | 6.5 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Aug 21, 2019 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in template | |
| CVE-2019-12746 | Med | 6.5 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Aug 21, 2019 | An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This | |
| CVE-2019-12248 | Med | 4.3 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Jun 17, 2019 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could c | |
| CVE-2019-12497 | Med | 5.3 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Jun 17, 2019 | An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclose | |
| CVE-2019-9892 | Med | 6.5 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | May 22, 2019 | An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result | |
| CVE-2019-10067 | Med | 5.4 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | May 22, 2019 | An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaS | |
| CVE-2019-9752 | Med | 5.4 | < 5.0.42-bp151.3.3.1 | 5.0.42-bp151.3.3.1 | Mar 13, 2019 | An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the con |
- affected < 6.0.30-bp152.2.11.1fixed 6.0.30-bp152.2.11.1
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
- affected < 6.0.30-bp152.2.11.1fixed 6.0.30-bp152.2.11.1
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions.
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior version
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string con
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in template
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could c
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclose
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaS
- affected < 5.0.42-bp151.3.3.1fixed 5.0.42-bp151.3.3.1
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the con