VYPR

Vendor CVEs

OTRS

All CVEs

165 total · sorted by risk
  • CVE-2023-38060Jul 24, 2023
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the…

  • CVE-2023-38058Jul 24, 2023
    risk 0.00cvss epss 0.00

    An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.

  • CVE-2023-38057Jul 24, 2023
    risk 0.00cvss epss 0.00

    An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.…

  • CVE-2023-38056Jul 24, 2023
    risk 0.00cvss epss 0.01

    Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from…

  • CVE-2023-2534May 8, 2023
    risk 0.00cvss epss 0.01

    Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by…

  • CVE-2018-17883Apr 15, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.

  • CVE-2023-1250Mar 20, 2023
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This…

  • CVE-2023-1248Mar 20, 2023
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through…

  • CVE-2022-4427Dec 19, 2022
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1…

  • CVE-2022-39052Oct 17, 2022
    risk 0.00cvss epss 0.01

    An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system

  • CVE-2022-39051Sep 5, 2022
    risk 0.00cvss epss 0.01

    Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package

  • CVE-2022-39050Sep 5, 2022
    risk 0.00cvss epss 0.00

    An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the…

  • CVE-2022-39049Sep 5, 2022
    risk 0.00cvss epss 0.01

    An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.

  • CVE-2022-32741Jun 13, 2022
    risk 0.00cvss epss 0.01

    Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.

  • CVE-2022-32740Jun 13, 2022
    risk 0.00cvss epss 0.01

    A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.

  • CVE-2022-32739Jun 13, 2022
    risk 0.00cvss epss 0.01

    When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.

  • CVE-2022-1004Mar 21, 2022
    risk 0.00cvss epss 0.01

    Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.

  • CVE-2022-0475Mar 21, 2022
    risk 0.00cvss epss 0.00

    Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.

  • CVE-2021-36100Mar 21, 2022
    risk 0.00cvss epss 0.01

    Specially crafted string in OTRS system configuration can allow the execution of any system command.

  • CVE-2022-0474Feb 7, 2022
    risk 0.00cvss epss 0.01

    Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions.

  • CVE-2022-0473Feb 7, 2022
    risk 0.00cvss epss 0.01

    OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31…

  • CVE-2021-36097Oct 18, 2021
    risk 0.00cvss epss 0.01

    Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.

  • CVE-2021-36096Sep 6, 2021
    risk 0.00cvss epss 0.00

    Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior…

  • CVE-2021-36095Sep 6, 2021
    risk 0.00cvss epss 0.01

    Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.

  • CVE-2021-36094Sep 6, 2021
    risk 0.00cvss epss 0.01

    It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.

  • CVE-2021-36093Sep 6, 2021
    risk 0.00cvss epss 0.01

    It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15…

  • CVE-2013-4717Aug 9, 2021
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to…

  • CVE-2021-36092Jul 26, 2021
    risk 0.00cvss epss 0.01

    It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version…

  • CVE-2021-36091Jul 26, 2021
    risk 0.00cvss epss 0.01

    Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

  • CVE-2021-21443Jul 26, 2021
    risk 0.00cvss epss 0.01

    Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

  • CVE-2021-21442Jul 26, 2021
    risk 0.00cvss epss 0.01

    In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19.

  • CVE-2021-21440Jul 26, 2021
    risk 0.00cvss epss 0.01

    Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior…

  • CVE-2021-21441Jun 16, 2021
    risk 0.00cvss epss 0.01

    There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This…

  • CVE-2021-21439Jun 14, 2021
    risk 0.00cvss epss 0.01

    DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1…

  • CVE-2021-21438Mar 22, 2021
    risk 0.00cvss epss 0.01

    Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.

  • CVE-2021-21437Mar 22, 2021
    risk 0.00cvss epss 0.01

    Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions

  • CVE-2021-21436Feb 8, 2021
    risk 0.00cvss epss 0.01

    Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.

  • CVE-2021-21435Feb 8, 2021
    risk 0.00cvss epss 0.01

    Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.

  • CVE-2021-21434Feb 8, 2021
    risk 0.00cvss epss 0.01

    Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior…

  • CVE-2020-1779Feb 8, 2021
    risk 0.00cvss epss 0.01

    When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. This issue affects: OTRS AG OTRSTicketForms 6.0.x version 6.0.40 and prior versions; 7.0.x version 7.0.29 and prior versions; 8.0.x…

  • CVE-2020-1778Nov 23, 2020
    risk 0.00cvss epss 0.01

    When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.

  • CVE-2020-1777Oct 15, 2020
    risk 0.00cvss epss 0.01

    Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. This issue affects OTRS; 7.0.21 and prior versions, 8.0.6 and…

  • CVE-2020-1776Jul 20, 2020
    risk 0.00cvss epss 0.01

    When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior…

  • CVE-2020-1775Jun 8, 2020
    risk 0.00cvss epss 0.01

    BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions.

  • CVE-2020-1774Apr 28, 2020
    risk 0.00cvss epss 0.01

    When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior…

  • CVE-2020-1773Mar 27, 2020
    risk 0.00cvss epss 0.01

    An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects…

  • CVE-2020-1772Mar 27, 2020
    risk 0.00cvss epss 0.02

    It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior…

  • CVE-2020-1771Mar 27, 2020
    risk 0.00cvss epss 0.01

    Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior…

  • CVE-2020-1770Mar 27, 2020
    risk 0.00cvss epss 0.01

    Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

  • CVE-2020-1769Mar 27, 2020
    risk 0.00cvss epss 0.01

    In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior…