Search...

CVE-2008-7281

2011-03-18T16:55:00

ID CVE-2008-7281
Type cve
Reporter cve@mitre.org
Modified 2011-03-22T04:00:00

Description

Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field.

JSON Vulners Source

Initial Source

{"id": "CVE-2008-7281", "bulletinFamily": "NVD", "title": "CVE-2008-7281", "description": "Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field.", "published": "2011-03-18T16:55:00", "modified": "2011-03-22T04:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7281", "reporter": "cve@mitre.org", "references": ["http://bugs.otrs.org/show_bug.cgi?id=2814", "http://bugs.otrs.org/show_bug.cgi?id=1882", "http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807"], "cvelist": ["CVE-2008-7281"], "type": "cve", "lastseen": "2019-05-29T18:09:30", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "89162b9d0b1282a6ac7661c7c7160113"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "6074564c2ed27f86db141e67728480f5"}, {"key": "cpe23", "hash": "90983bd780c29837a3e5b5d836e8d8f9"}, {"key": "cvelist", "hash": "e2451b97c6cf9f3accc892aaae7a869a"}, {"key": "cvss", "hash": "876f47c4ebc2b9e0dd17afaa22819f2a"}, {"key": "cvss2", "hash": "4c5095aa0a8ad4049b7693b420a5ae6e"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "b647a850fd42b235dd11ee60cf626f2d"}, {"key": "description", "hash": "300842ca65780c1e8c5a3acd0cccc15f"}, {"key": "href", "hash": "9d5563e30db7be78fd3faf7a12eaf2e8"}, {"key": "modified", "hash": "d68012ffdf7f3cc1200280ed7434ddcc"}, {"key": "published", "hash": "d8d3943b6660e731d37675d84d3633f7"}, {"key": "references", "hash": "6623ccf79668b8a876fb1a5a32f42131"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "3f0b6548298a02ba398d10f8b5f22464"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "2390a8fedebf9d1a5974ad85a47b6df7d73e9b776cb042c015795a133666310b", "viewCount": 0, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2019-05-29T18:09:30"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310803915"]}], "modified": "2019-05-29T18:09:30"}, "vulnersScore": 5.2}, "objectVersion": "1.3", "cpe": ["cpe:/a:otrs:otrs:2.2.3", "cpe:/a:otrs:otrs:2.1.5", "cpe:/a:otrs:otrs:1.2.2", "cpe:/a:otrs:otrs:2.1.4", "cpe:/a:otrs:otrs:1.0.2", "cpe:/a:otrs:otrs:1.0.1", "cpe:/a:otrs:otrs:2.0.5", "cpe:/a:otrs:otrs:1.1", "cpe:/a:otrs:otrs:1.3.2", "cpe:/a:otrs:otrs:2.2.4", "cpe:/a:otrs:otrs:1.2.1", "cpe:/a:otrs:otrs:2.1.6", "cpe:/a:otrs:otrs:1.3.1", "cpe:/a:otrs:otrs:2.1.9", "cpe:/a:otrs:otrs:1.2.3", "cpe:/a:otrs:otrs:1.0.0", "cpe:/a:otrs:otrs:2.1.2", "cpe:/a:otrs:otrs:2.2.5", "cpe:/a:otrs:otrs:0.5", "cpe:/a:otrs:otrs:2.1.1", "cpe:/a:otrs:otrs:2.1.3", "cpe:/a:otrs:otrs:1.1.3", "cpe:/a:otrs:otrs:1.1.1", "cpe:/a:otrs:otrs:2.2.2", "cpe:/a:otrs:otrs:1.1.0", "cpe:/a:otrs:otrs:2.0.3", "cpe:/a:otrs:otrs:2.0.2", "cpe:/a:otrs:otrs:2.2.0", "cpe:/a:otrs:otrs:2.0.4", "cpe:/a:otrs:otrs:1.0", "cpe:/a:otrs:otrs:2.1.7", "cpe:/a:otrs:otrs:1.2.0", "cpe:/a:otrs:otrs:2.1.8", "cpe:/a:otrs:otrs:1.1.2", "cpe:/a:otrs:otrs:2.2.1", "cpe:/a:otrs:otrs:1.3.3", "cpe:/a:otrs:otrs:2.1.0", "cpe:/a:otrs:otrs:2.0.1", "cpe:/a:otrs:otrs:2.0.0", "cpe:/a:otrs:otrs:1.1.4", "cpe:/a:otrs:otrs:1.3.0", "cpe:/a:otrs:otrs:1.2.4"], "affectedSoftware": [{"name": "otrs otrs", "operator": "eq", "version": "2.1.2"}, {"name": "otrs otrs", "operator": "eq", "version": "1.2.1"}, {"name": "otrs otrs", "operator": "eq", "version": "1.2.2"}, {"name": "otrs otrs", "operator": "eq", "version": "1.0"}, {"name": "otrs otrs", "operator": "eq", "version": "2.2.1"}, {"name": "otrs otrs", "operator": "eq", "version": "1.3.0"}, {"name": "otrs otrs", "operator": "eq", "version": "1.3.3"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.8"}, {"name": "otrs otrs", "operator": "eq", "version": "1.1.4"}, {"name": "otrs otrs", "operator": "eq", "version": "1.1"}, {"name": "otrs otrs", "operator": "eq", "version": "1.2.3"}, {"name": "otrs otrs", "operator": "eq", "version": "1.0.2"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.6"}, {"name": "otrs otrs", "operator": "eq", "version": "2.2.2"}, {"name": "otrs otrs", "operator": "eq", "version": "2.0.4"}, {"name": "otrs otrs", "operator": "eq", "version": "1.0.0"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.4"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.5"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.9"}, {"name": "otrs otrs", "operator": "eq", "version": "1.0.1"}, {"name": "otrs otrs", "operator": "eq", "version": "1.1.2"}, {"name": "otrs otrs", "operator": "eq", "version": "2.0.2"}, {"name": "otrs otrs", "operator": "eq", "version": "2.2.0"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.0"}, {"name": "otrs otrs", "operator": "eq", "version": "1.2.4"}, {"name": "otrs otrs", "operator": "eq", "version": "2.2.5"}, {"name": "otrs otrs", "operator": "eq", "version": "1.1.0"}, {"name": "otrs otrs", "operator": "eq", "version": "1.3.1"}, {"name": "otrs otrs", "operator": "eq", "version": "1.2.0"}, {"name": "otrs otrs", "operator": "eq", "version": "1.1.3"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.7"}, {"name": "otrs otrs", "operator": "eq", "version": "2.0.5"}, {"name": "otrs otrs", "operator": "le", "version": "2.2.6"}, {"name": "otrs otrs", "operator": "eq", "version": "2.2.3"}, {"name": "otrs otrs", "operator": "eq", "version": "2.0.1"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.3"}, {"name": "otrs otrs", "operator": "eq", "version": "2.1.1"}, {"name": "otrs otrs", "operator": "eq", "version": "2.0.3"}, {"name": "otrs otrs", "operator": "eq", "version": "2.2.4"}, {"name": "otrs otrs", "operator": "eq", "version": "1.3.2"}, {"name": "otrs otrs", "operator": "eq", "version": "1.1.1"}, {"name": "otrs otrs", "operator": "eq", "version": "2.0.0"}, {"name": "otrs otrs", "operator": "eq", "version": "0.5"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:otrs:otrs:0.5:beta6:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta4:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta5:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta3:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.0:beta6:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta7:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.2.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:0.5:beta8:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.3.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:1.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:otrs:otrs:2.1.9:*:*:*:*:*:*:*"], "cwe": ["CWE-200"]}

{"openvas": [{"lastseen": "2019-10-18T15:29:05", "bulletinFamily": "scanner", "description": "This host is installed with OTRS (Open Ticket Request System) and is prone to\nmultiple vulnerabilities.", "modified": "2019-10-17T00:00:00", "published": "2013-09-17T00:00:00", "id": "OPENVAS:1361412562310803915", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803915", "title": "OTRS Email Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OTRS Email Multiple Vulnerabilities\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:otrs:otrs\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803915\");\n script_version(\"2019-10-17T12:29:45+0000\");\n script_cve_id(\"CVE-2008-7280\", \"CVE-2008-7281\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 12:29:45 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-09-17 16:43:34 +0530 (Tue, 17 Sep 2013)\");\n script_name(\"OTRS Email Multiple Vulnerabilities\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with OTRS (Open Ticket Request System) and is prone to\nmultiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Upgrade to OTRS (Open Ticket Request System) version 2.2.7 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"insight\", value:\"-An error exists in Kernel/System/EmailParser.pm in PostmasterPOP3.pl which\ndoes not properly handle e-mail messages containing malformed UTF-8 characters\n\n - An error exists in otrs-email.pm, which sends e-mail containing a Bcc header\nfield that lists the Blind Carbon Copy recipients\");\n script_tag(name:\"affected\", value:\"OTRS (Open Ticket Request System) version before 2.2.7\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain potentially\nsensitive e-mail address information or cause the application to crash by\ncreating a denial of service condition.\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_otrs_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"OTRS/installed\");\n script_xref(name:\"URL\", value:\"http://www.otrs.com/en/\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(vers = get_app_version(cpe:CPE, port:port))\n{\n if(version_is_less(version: vers, test_version: \"2.2.7\"))\n {\n security_message(port:port);\n exit(0);\n }\n\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}