Lucene search

K

Otrs Security Vulnerabilities

cve
cve

CVE-2024-23793

The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl....

6.3CVSS

7.2AI Score

0.0004EPSS

2024-06-06 07:15 PM
20
cve
cve

CVE-2018-7567

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server....

7.2CVSS

7.3AI Score

0.004EPSS

2018-03-04 08:29 PM
39
cve
cve

CVE-2024-23790

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through...

9.8CVSS

9.4AI Score

0.001EPSS

2024-01-29 10:15 AM
12
cve
cve

CVE-2024-23792

When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue...

6.5CVSS

6.4AI Score

0.0005EPSS

2024-01-29 10:15 AM
11
cve
cve

CVE-2024-23791

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through...

7.5CVSS

7.4AI Score

0.001EPSS

2024-01-29 10:15 AM
11
cve
cve

CVE-2023-6254

A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through...

8.1CVSS

7.5AI Score

0.001EPSS

2023-11-27 10:15 AM
8
cve
cve

CVE-2012-4600

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML...

5.6AI Score

0.003EPSS

2012-08-31 02:55 PM
30
cve
cve

CVE-2023-1250

Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS:...

7.8CVSS

7.7AI Score

0.0004EPSS

2023-03-20 09:15 AM
31
cve
cve

CVE-2023-1248

Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through...

6.1CVSS

6.1AI Score

0.001EPSS

2023-03-20 09:15 AM
30
cve
cve

CVE-2012-4751

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC...

6.6AI Score

0.005EPSS

2012-10-22 04:55 PM
40
cve
cve

CVE-2023-5422

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary...

9.1CVSS

9.1AI Score

0.001EPSS

2023-10-16 09:15 AM
26
cve
cve

CVE-2023-5421

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was...

5.5CVSS

5.8AI Score

0.0004EPSS

2023-10-16 09:15 AM
28
cve
cve

CVE-2023-38059

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through.....

5.3CVSS

5.2AI Score

0.0005EPSS

2023-10-16 09:15 AM
27
cve
cve

CVE-2021-36091

Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to...

4.3CVSS

5.3AI Score

0.001EPSS

2021-07-26 05:15 AM
66
7
cve
cve

CVE-2021-21441

There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS....

7.5CVSS

7.4AI Score

0.002EPSS

2021-06-16 10:15 AM
28
cve
cve

CVE-2020-1776

When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4....

4.3CVSS

5.4AI Score

0.001EPSS

2020-07-20 09:15 PM
40
cve
cve

CVE-2021-36100

Specially crafted string in OTRS system configuration can allow the execution of any system...

8.8CVSS

9.1AI Score

0.001EPSS

2022-03-21 10:15 AM
70
cve
cve

CVE-2021-21443

Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to...

4.3CVSS

5.3AI Score

0.001EPSS

2021-07-26 05:15 AM
64
8
cve
cve

CVE-2021-21440

Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior...

6.5CVSS

6.5AI Score

0.001EPSS

2021-07-26 05:15 AM
68
7
cve
cve

CVE-2020-1771

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and.....

5.4CVSS

6.3AI Score

0.001EPSS

2020-03-27 01:15 PM
162
cve
cve

CVE-2020-1773

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community...

8.1CVSS

7.8AI Score

0.001EPSS

2020-03-27 01:15 PM
176
cve
cve

CVE-2020-1767

Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x...

4.3CVSS

5.1AI Score

0.001EPSS

2020-01-10 03:15 PM
87
cve
cve

CVE-2020-1766

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior...

6.1CVSS

6.7AI Score

0.012EPSS

2020-01-10 03:15 PM
162
cve
cve

CVE-2023-38060

Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue...

8.8CVSS

9AI Score

0.0005EPSS

2023-07-24 09:15 AM
27
cve
cve

CVE-2022-4427

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through...

9.8CVSS

9.8AI Score

0.002EPSS

2022-12-19 09:15 AM
35
cve
cve

CVE-2021-21439

DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions....

6.5CVSS

7.7AI Score

0.001EPSS

2021-06-14 08:15 AM
34
cve
cve

CVE-2020-1769

In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior...

4.3CVSS

5.7AI Score

0.001EPSS

2020-03-27 01:15 PM
184
cve
cve

CVE-2019-16375

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious.....

5.4CVSS

6.2AI Score

0.001EPSS

2020-03-19 06:15 PM
128
cve
cve

CVE-2020-1774

When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and...

4.9CVSS

6AI Score

0.001EPSS

2020-04-28 02:15 PM
49
cve
cve

CVE-2019-18180

Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x...

7.5CVSS

7.5AI Score

0.014EPSS

2019-12-05 03:15 PM
120
cve
cve

CVE-2020-1772

It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS:...

7.5CVSS

7.4AI Score

0.007EPSS

2020-03-27 01:15 PM
193
cve
cve

CVE-2019-12497

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external...

5.3CVSS

6.1AI Score

0.01EPSS

2019-06-17 05:15 PM
140
cve
cve

CVE-2019-12248

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser...

4.3CVSS

5.2AI Score

0.003EPSS

2019-06-17 06:15 PM
137
cve
cve

CVE-2020-1765

An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24...

5.3CVSS

6.2AI Score

0.005EPSS

2020-01-10 03:15 PM
166
cve
cve

CVE-2020-1770

Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior...

4.3CVSS

5.5AI Score

0.003EPSS

2020-03-27 01:15 PM
183
cve
cve

CVE-2019-13458

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to...

6.5CVSS

6.7AI Score

0.002EPSS

2019-08-21 02:15 PM
132
cve
cve

CVE-2019-12746

An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be....

6.5CVSS

6.8AI Score

0.008EPSS

2019-08-21 02:15 PM
129
cve
cve

CVE-2019-18179

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker...

4.3CVSS

5.5AI Score

0.003EPSS

2020-01-06 08:15 PM
163
cve
cve

CVE-2023-38057

An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects.....

5.4CVSS

5.3AI Score

0.0004EPSS

2023-07-24 09:15 AM
22
cve
cve

CVE-2023-38058

An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before...

4.3CVSS

4.6AI Score

0.0004EPSS

2023-07-24 09:15 AM
17
cve
cve

CVE-2023-38056

Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35;....

7.2CVSS

6.9AI Score

0.001EPSS

2023-07-24 09:15 AM
32
cve
cve

CVE-2023-2534

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing...

8.1CVSS

8.1AI Score

0.001EPSS

2023-05-08 08:15 AM
13
cve
cve

CVE-2018-17883

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of...

6.1CVSS

6.2AI Score

0.001EPSS

2023-04-16 12:15 AM
17
cve
cve

CVE-2018-11563

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel...

4.6CVSS

5.3AI Score

0.001EPSS

2019-07-08 01:15 PM
48
cve
cve

CVE-2019-13457

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned...

4.3CVSS

5.5AI Score

0.001EPSS

2020-03-10 06:15 PM
109
cve
cve

CVE-2019-10067

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the...

5.4CVSS

6.3AI Score

0.001EPSS

2019-05-22 12:29 AM
118
cve
cve

CVE-2019-9892

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of...

6.5CVSS

6.5AI Score

0.002EPSS

2019-05-22 12:29 AM
121
cve
cve

CVE-2021-36097

Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior...

4.3CVSS

4.6AI Score

0.001EPSS

2021-10-18 07:15 AM
25
cve
cve

CVE-2021-21437

Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior...

4.3CVSS

4.6AI Score

0.001EPSS

2021-03-22 09:15 AM
30
2
cve
cve

CVE-2022-39052

An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the...

7.5CVSS

6.4AI Score

0.001EPSS

2022-10-17 09:15 AM
35
11
Total number of security vulnerabilities149