CVE-2010-4761

The customer-interface ticket-print dialog in Open Ticket Request System OTRS before 3.0.0-beta3 does not properly restrict customer-visible data, which allows remote authenticated users to obtain potentially sensitive information from the 1 responsible, 2 owner, 3 accounted time, 4 pending until...

Design/Logic Flaw

Open Ticket Request System OTRS before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the...

Design/Logic Flaw

The S/MIME feature in Open Ticket Request System OTRS before 2.2.5, and 2.3.x before 2.3.0-beta1, does not properly configure the RANDFILE environment variable for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available fo...

Design/Logic Flaw

The AgentTicketForward feature in Open Ticket Request System OTRS before 2.4.7 does not properly remove inline images from HTML e-mail messages, which allows remote attackers to obtain potentially sensitive image information in opportunistic circumstances by reading a forwarded message in a...

CVE-2008-7275

Multiple cross-site scripting XSS vulnerabilities in Open Ticket Request System OTRS before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 AgentTicketMailbox or 2 CustomerTicketOverView...

Hardcoded credentials

Kernel/Output/HTML/CustomerNewTicketQueueSelectionGeneric.pm in Open Ticket Request System OTRS before 2.2.6, when the CustomerPanelOwnSelection and CustomerGroupSupport options are enabled, allows remote authenticated users to bypass intended access restrictions, and perform certain 1 list and 2...

CVE-2010-4762

Cross-site scripting XSS vulnerability in the rich-text-editor component in Open Ticket Request System OTRS before 3.0.0-beta2 allows remote authenticated users to inject arbitrary web script or HTML by using the "source code" feature in the customer interface...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Open Ticket Request System OTRS before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to 1 AgentTicketMailbox or 2 CustomerTicketOverView...

Design/Logic Flaw

The 1 AgentInterface and 2 CustomerInterface components in Open Ticket Request System OTRS before 3.0.6 place cleartext credentials into the session data in the database, which makes it easier for context-dependent attackers to obtain sensitive information by reading the UserLogin and UserPW fiel...

Design/Logic Flaw

Open Ticket Request System OTRS before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remov...

Sql injection

The ACL-customer-status Ticket Type setting in Open Ticket Request System OTRS before 3.0.0-beta1 does not restrict the ticket options after an AJAX reload, which allows remote authenticated users to bypass intended ACL restrictions on the 1 Status, 2 Service, and 3 Queue via selections...

CVE-2010-4763

OTRS before 3.0.0-beta1 is affected by CVE-2010-4763. The ACL-customer-status Ticket Type setting does not restrict options after an AJAX reload, allowing remote authenticated users to bypass ACLs for Status, Service, and Queue via selections. Affected component: OTRS Web UI/ACL logic in the tick...

CVE-2008-7275

OTRS is affected by CVE-2008-7275: pre-2.3.3 versions expose cross-site scripting in the web UI. The vulnerabilities affect the AgentTicketMailbox and CustomerTicketOverView paths (including the OpenVAS entry for OTRS

CVE-2010-4758

installer.pl in Open Ticket Request System OTRS before 3.0.3 has an Inbound Mail Password field that uses the text type, instead of the password type, for its INPUT element, which makes it easier for physically proximate attackers to obtain the password by reading the workstation screen...

CVE-2010-4762

Cross-site scripting XSS vulnerability in the rich-text-editor component in Open Ticket Request System OTRS before 3.0.0-beta2 allows remote authenticated users to inject arbitrary web script or HTML by using the "source code" feature in the customer interface...

CVE-2008-7279

The CustomerInterface component in Open Ticket Request System OTRS before 2.2.8 allows remote authenticated users to bypass intended access restrictions and access tickets of arbitrary customers via unspecified vectors...

CVE-2008-7277

Open Ticket Request System OTRS before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets...

DEBIAN-CVE-2011-0456

webscript.pl in Open Ticket Request System OTRS 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability."...

CVE-2011-0456

webscript.pl in Open Ticket Request System OTRS 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability."...

CVE-2011-0456

webscript.pl in Open Ticket Request System OTRS 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability."...