Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
CPE | Name | Operator | Version |
---|---|---|---|
otrs | eq | rel-2_0_0-b1 | |
otrs | eq | rel-2_2_1 | |
otrs | eq | rel-2_2_0_beta1 | |
otrs | eq | rel-1_1_0_rc2 | |
otrs | eq | rel-3_3_11 | |
otrs | eq | rel-3_0_0-b5 | |
otrs | eq | rel-2_2_0_beta3 | |
otrs | eq | rel-1_2_0_beta1 | |
otrs | eq | rel-2_4_1 | |
otrs | eq | rel-3_1_0_beta4 |