VYPR

((OTRS)) Community Edition

by OTRS

CVEs (44)

  • CVE-2021-36093MedSep 6, 2021
    risk 0.35cvss 5.3epss 0.01

    It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15…

  • CVE-2019-16375MedMar 19, 2020
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string…

  • CVE-2019-18180MedDec 5, 2019
    risk 0.35cvss 5.3epss 0.02

    Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community…

  • CVE-2019-12497MedJun 17, 2019
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be…

  • CVE-2019-10067MedMay 22, 2019
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of…

  • CVE-2023-38059MedOct 16, 2023
    risk 0.34cvss 5.3epss 0.00

    The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition:…

  • CVE-2021-36096MedSep 6, 2021
    risk 0.34cvss 5.2epss 0.00

    Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior…

  • CVE-2021-21440MedJul 26, 2021
    risk 0.34cvss 5.2epss 0.01

    Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior…

  • CVE-2024-43443MedAug 26, 2024
    risk 0.32cvss 4.9epss 0.00

    Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects: …

  • CVE-2024-43442MedAug 26, 2024
    risk 0.32cvss 4.9epss 0.00

    Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in  OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue…

  • CVE-2020-1771MedMar 27, 2020
    risk 0.30cvss 4.6epss 0.01

    Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior…

  • CVE-2020-1774MedApr 28, 2020
    risk 0.29cvss 4.5epss 0.01

    When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior…

  • CVE-2019-12248MedJun 17, 2019
    risk 0.28cvss 4.3epss 0.02

    An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could…

  • CVE-2025-24388LowJun 16, 2025
    risk 0.25cvss 3.8epss 0.00

    A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * …

  • CVE-2024-43446LowJan 27, 2025
    risk 0.23cvss 3.5epss 0.00

    An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community…

  • CVE-2023-5421LowOct 16, 2023
    risk 0.23cvss 3.5epss 0.00

    An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for…

  • CVE-2021-36091LowJul 26, 2021
    risk 0.23cvss 3.5epss 0.01

    Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

  • CVE-2021-21443LowJul 26, 2021
    risk 0.23cvss 3.5epss 0.01

    Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

  • CVE-2020-1776LowJul 20, 2020
    risk 0.23cvss 3.5epss 0.01

    When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior…

  • CVE-2020-1769LowMar 27, 2020
    risk 0.23cvss 3.5epss 0.01

    In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior…