VYPR

Otrs

by OTRS

Source repositories

CVEs (154)

  • CVE-2026-48210MedMay 31, 2026
    risk 0.37cvss 5.7epss 0.00

    An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the…

  • CVE-2024-43445MedJan 27, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended.…

  • CVE-2025-24391MedJul 14, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: * OTRS…

  • CVE-2024-43443MedAug 26, 2024
    risk 0.32cvss 4.9epss 0.00

    Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects: …

  • CVE-2024-43442MedAug 26, 2024
    risk 0.32cvss 4.9epss 0.00

    Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in  OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue…

  • CVE-2018-16586MedSep 28, 2018
    risk 0.28cvss 4.3epss 0.01

    In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources.

  • CVE-2018-10198MedJun 6, 2018
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets.

  • CVE-2025-24388LowJun 16, 2025
    risk 0.25cvss 3.8epss 0.00

    A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * …

  • CVE-2026-48190LowJun 1, 2026
    risk 0.23cvss 3.5epss 0.00

    An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue…

  • CVE-2024-43446LowJan 27, 2025
    risk 0.23cvss 3.5epss 0.00

    An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community…

  • CVE-2012-4600Aug 31, 2012
    risk 0.04cvss epss 0.06

    Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body…

  • CVE-2005-3893Nov 29, 2005
    risk 0.04cvss epss 0.07

    Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote…

  • CVE-2014-1695Mar 1, 2014
    risk 0.03cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.

  • CVE-2012-4751Oct 22, 2012
    risk 0.03cvss epss 0.06

    Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a…

  • CVE-2012-2582Aug 23, 2012
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject…

  • CVE-2007-2524May 8, 2007
    risk 0.03cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for…

  • CVE-2005-3894Nov 29, 2005
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2)…

  • CVE-2025-24387Mar 10, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read…

  • CVE-2024-23794Jul 15, 2024
    risk 0.00cvss epss 0.00

    An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has…

  • CVE-2024-6540Jul 15, 2024
    risk 0.00cvss epss 0.00

    Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the…

Page 2 of 8