Vendor CVEs
OTRS
All CVEs
165 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-38060 | 0.00 | — | 0.01 | Jul 24, 2023 | Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the… | |||
| CVE-2023-38058 | 0.00 | — | 0.00 | Jul 24, 2023 | An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35. | |||
| CVE-2023-38057 | 0.00 | — | 0.00 | Jul 24, 2023 | An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.… | |||
| CVE-2023-38056 | 0.00 | — | 0.01 | Jul 24, 2023 | Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from… | |||
| CVE-2023-2534 | 0.00 | — | 0.01 | May 8, 2023 | Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by… | |||
| CVE-2018-17883 | 0.00 | — | 0.00 | Apr 15, 2023 | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS. | |||
| CVE-2023-1250 | 0.00 | — | 0.00 | Mar 20, 2023 | Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This… | |||
| CVE-2023-1248 | 0.00 | — | 0.00 | Mar 20, 2023 | Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through… | |||
| CVE-2022-4427 | 0.00 | — | 0.01 | Dec 19, 2022 | Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1… | |||
| CVE-2022-39052 | 0.00 | — | 0.01 | Oct 17, 2022 | An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system | |||
| CVE-2022-39051 | 0.00 | — | 0.01 | Sep 5, 2022 | Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package | |||
| CVE-2022-39050 | 0.00 | — | 0.00 | Sep 5, 2022 | An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the… | |||
| CVE-2022-39049 | 0.00 | — | 0.01 | Sep 5, 2022 | An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. | |||
| CVE-2022-32741 | 0.00 | — | 0.01 | Jun 13, 2022 | Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time. | |||
| CVE-2022-32740 | 0.00 | — | 0.01 | Jun 13, 2022 | A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances. | |||
| CVE-2022-32739 | 0.00 | — | 0.01 | Jun 13, 2022 | When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number. | |||
| CVE-2022-1004 | 0.00 | — | 0.01 | Mar 21, 2022 | Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled. | |||
| CVE-2022-0475 | 0.00 | — | 0.00 | Mar 21, 2022 | Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions. | |||
| CVE-2021-36100 | 0.00 | — | 0.01 | Mar 21, 2022 | Specially crafted string in OTRS system configuration can allow the execution of any system command. | |||
| CVE-2022-0474 | 0.00 | — | 0.01 | Feb 7, 2022 | Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions. | |||
| CVE-2022-0473 | 0.00 | — | 0.01 | Feb 7, 2022 | OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31… | |||
| CVE-2021-36097 | 0.00 | — | 0.01 | Oct 18, 2021 | Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions. | |||
| CVE-2021-36096 | 0.00 | — | 0.00 | Sep 6, 2021 | Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior… | |||
| CVE-2021-36095 | 0.00 | — | 0.01 | Sep 6, 2021 | Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | |||
| CVE-2021-36094 | 0.00 | — | 0.01 | Sep 6, 2021 | It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | |||
| CVE-2021-36093 | 0.00 | — | 0.01 | Sep 6, 2021 | It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15… | |||
| CVE-2013-4717 | 0.00 | — | 0.01 | Aug 9, 2021 | Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to… | |||
| CVE-2021-36092 | 0.00 | — | 0.01 | Jul 26, 2021 | It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version… | |||
| CVE-2021-36091 | 0.00 | — | 0.01 | Jul 26, 2021 | Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. | |||
| CVE-2021-21443 | 0.00 | — | 0.01 | Jul 26, 2021 | Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. | |||
| CVE-2021-21442 | 0.00 | — | 0.01 | Jul 26, 2021 | In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19. | |||
| CVE-2021-21440 | 0.00 | — | 0.01 | Jul 26, 2021 | Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior… | |||
| CVE-2021-21441 | 0.00 | — | 0.01 | Jun 16, 2021 | There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This… | |||
| CVE-2021-21439 | 0.00 | — | 0.01 | Jun 14, 2021 | DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1… | |||
| CVE-2021-21438 | 0.00 | — | 0.01 | Mar 22, 2021 | Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions. | |||
| CVE-2021-21437 | 0.00 | — | 0.01 | Mar 22, 2021 | Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions | |||
| CVE-2021-21436 | 0.00 | — | 0.01 | Feb 8, 2021 | Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions. | |||
| CVE-2021-21435 | 0.00 | — | 0.01 | Feb 8, 2021 | Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions. | |||
| CVE-2021-21434 | 0.00 | — | 0.01 | Feb 8, 2021 | Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior… | |||
| CVE-2020-1779 | 0.00 | — | 0.01 | Feb 8, 2021 | When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. This issue affects: OTRS AG OTRSTicketForms 6.0.x version 6.0.40 and prior versions; 7.0.x version 7.0.29 and prior versions; 8.0.x… | |||
| CVE-2020-1778 | 0.00 | — | 0.01 | Nov 23, 2020 | When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. | |||
| CVE-2020-1777 | 0.00 | — | 0.01 | Oct 15, 2020 | Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. This issue affects OTRS; 7.0.21 and prior versions, 8.0.6 and… | |||
| CVE-2020-1776 | 0.00 | — | 0.01 | Jul 20, 2020 | When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior… | |||
| CVE-2020-1775 | 0.00 | — | 0.01 | Jun 8, 2020 | BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions. | |||
| CVE-2020-1774 | 0.00 | — | 0.01 | Apr 28, 2020 | When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior… | |||
| CVE-2020-1773 | 0.00 | — | 0.01 | Mar 27, 2020 | An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects… | |||
| CVE-2020-1772 | 0.00 | — | 0.02 | Mar 27, 2020 | It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior… | |||
| CVE-2020-1771 | 0.00 | — | 0.01 | Mar 27, 2020 | Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior… | |||
| CVE-2020-1770 | 0.00 | — | 0.01 | Mar 27, 2020 | Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | |||
| CVE-2020-1769 | 0.00 | — | 0.01 | Mar 27, 2020 | In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior… |
- CVE-2023-38060Jul 24, 2023risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the…
- CVE-2023-38058Jul 24, 2023risk 0.00cvss —epss 0.00
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.
- CVE-2023-38057Jul 24, 2023risk 0.00cvss —epss 0.00
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.…
- CVE-2023-38056Jul 24, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from…
- CVE-2023-2534May 8, 2023risk 0.00cvss —epss 0.01
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by…
- CVE-2018-17883Apr 15, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.
- CVE-2023-1250Mar 20, 2023risk 0.00cvss —epss 0.00
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This…
- CVE-2023-1248Mar 20, 2023risk 0.00cvss —epss 0.00
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through…
- CVE-2022-4427Dec 19, 2022risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1…
- CVE-2022-39052Oct 17, 2022risk 0.00cvss —epss 0.01
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
- CVE-2022-39051Sep 5, 2022risk 0.00cvss —epss 0.01
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
- CVE-2022-39050Sep 5, 2022risk 0.00cvss —epss 0.00
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the…
- CVE-2022-39049Sep 5, 2022risk 0.00cvss —epss 0.01
An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
- CVE-2022-32741Jun 13, 2022risk 0.00cvss —epss 0.01
Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
- CVE-2022-32740Jun 13, 2022risk 0.00cvss —epss 0.01
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.
- CVE-2022-32739Jun 13, 2022risk 0.00cvss —epss 0.01
When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.
- CVE-2022-1004Mar 21, 2022risk 0.00cvss —epss 0.01
Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
- CVE-2022-0475Mar 21, 2022risk 0.00cvss —epss 0.00
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.
- CVE-2021-36100Mar 21, 2022risk 0.00cvss —epss 0.01
Specially crafted string in OTRS system configuration can allow the execution of any system command.
- CVE-2022-0474Feb 7, 2022risk 0.00cvss —epss 0.01
Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions.
- CVE-2022-0473Feb 7, 2022risk 0.00cvss —epss 0.01
OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31…
- CVE-2021-36097Oct 18, 2021risk 0.00cvss —epss 0.01
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
- CVE-2021-36096Sep 6, 2021risk 0.00cvss —epss 0.00
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior…
- CVE-2021-36095Sep 6, 2021risk 0.00cvss —epss 0.01
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
- CVE-2021-36094Sep 6, 2021risk 0.00cvss —epss 0.01
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
- CVE-2021-36093Sep 6, 2021risk 0.00cvss —epss 0.01
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15…
- CVE-2013-4717Aug 9, 2021risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to…
- CVE-2021-36092Jul 26, 2021risk 0.00cvss —epss 0.01
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version…
- CVE-2021-36091Jul 26, 2021risk 0.00cvss —epss 0.01
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
- CVE-2021-21443Jul 26, 2021risk 0.00cvss —epss 0.01
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
- CVE-2021-21442Jul 26, 2021risk 0.00cvss —epss 0.01
In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19.
- CVE-2021-21440Jul 26, 2021risk 0.00cvss —epss 0.01
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior…
- CVE-2021-21441Jun 16, 2021risk 0.00cvss —epss 0.01
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This…
- CVE-2021-21439Jun 14, 2021risk 0.00cvss —epss 0.01
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1…
- CVE-2021-21438Mar 22, 2021risk 0.00cvss —epss 0.01
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
- CVE-2021-21437Mar 22, 2021risk 0.00cvss —epss 0.01
Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions
- CVE-2021-21436Feb 8, 2021risk 0.00cvss —epss 0.01
Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.
- CVE-2021-21435Feb 8, 2021risk 0.00cvss —epss 0.01
Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.
- CVE-2021-21434Feb 8, 2021risk 0.00cvss —epss 0.01
Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior…
- CVE-2020-1779Feb 8, 2021risk 0.00cvss —epss 0.01
When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. This issue affects: OTRS AG OTRSTicketForms 6.0.x version 6.0.40 and prior versions; 7.0.x version 7.0.29 and prior versions; 8.0.x…
- CVE-2020-1778Nov 23, 2020risk 0.00cvss —epss 0.01
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.
- CVE-2020-1777Oct 15, 2020risk 0.00cvss —epss 0.01
Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. This issue affects OTRS; 7.0.21 and prior versions, 8.0.6 and…
- CVE-2020-1776Jul 20, 2020risk 0.00cvss —epss 0.01
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior…
- CVE-2020-1775Jun 8, 2020risk 0.00cvss —epss 0.01
BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions.
- CVE-2020-1774Apr 28, 2020risk 0.00cvss —epss 0.01
When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior…
- CVE-2020-1773Mar 27, 2020risk 0.00cvss —epss 0.01
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects…
- CVE-2020-1772Mar 27, 2020risk 0.00cvss —epss 0.02
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior…
- CVE-2020-1771Mar 27, 2020risk 0.00cvss —epss 0.01
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior…
- CVE-2020-1770Mar 27, 2020risk 0.00cvss —epss 0.01
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
- CVE-2020-1769Mar 27, 2020risk 0.00cvss —epss 0.01
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior…
Page 2 of 4