8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
An update that fixes 18 vulnerabilities is now available.
Description:
Otrs was updated to 5.0.42, fixing lots of bugs and security issues:
https://community.otrs.com/otrs-community-edition-5s-patch-level-42/
Update to 5.0.41
https://community.otrs.com/otrs-community-edition-5s-patch-level-41/
* bug#14912 - Installer refers to non-existing documentation
added code to upgrade OTRS from 4 to 5
READ UPGRADING.SUSE
Update to 5.0.40
https://community.otrs.com/otrs-community-edition-5s-patch-level-40/
CVE-2020-1766 boo#1160663 OSA-2020-02: Improper handling of uploaded
inline images Due to improper handling of uploaded images it is possible
in very unlikely and rare conditions to force the agents browser to
execute malicious javascript from a special crafted SVG file rendered as
inline jpg file.
Update 5.0.39
https://community.otrs.com/otrs-community-edition-5s-patch-level-39/
CVE-2019-18180 boo#1157001 OSA-2019-15: Denial of service OTRS can be
put into an endless loop by providing filenames with
overly long extensions. This applies to the PostMaster (sending in
email) and also upload (attaching files to mails, for example).
CVE-2019-18179 OSA-2019-14: Information Disclosure An attacker who is
logged into OTRS as an agent is able to list tickets assigned to other
agents, which are in the queue where attacker doesnβt have permissions.
Update to 5.0.38
https://community.otrs.com/release-notes-otrs-5s-patch-level-38/
Update to 5.0.37
https://community.otrs.com/release-notes-otrs-5s-patch-level-37/
CVE-2019-13458, boo#1141432, OSA-2019-12:
Information Disclosure An attacker who is logged into OTRS as an agent
user with appropriate permissions can leverage OTRS tags in templates in
order to disclose hashed user passwords.
CVE-2019-13457, boo#1141431, OSA-2019-11:
Information Disclosure A customer user can use the search results to
disclose information from their βcompanyβ tickets (with the same
CustomerID), even when CustomerDisableCompanyTicketAccess setting is
turned on.
CVE-2019-12746, boo#1141430, OSA-2019-10:
Session ID Disclosure A user logged into OTRS as an agent might
unknowingly disclose their session ID by sharing the link of an embedded
ticket article with third parties. This identifier can be then potentially
abused in order to impersonate the agent user.
Update to 5.0.36
https://community.otrs.com/release-notes-otrs-5s-patch-level-36/
CVE-2019-12497, boo#1137614, OSA-2019-09: Information Disclosure In the
customer or external frontend, personal information of agents can be
disclosed like Name and mail address in external notes.
CVE-2019-12248, boo#1137615, OSA-2019-08: Loading External Image
Resources An attacker could send a malicious email to an OTRS system. If
a logged in agent user quotes it, the email could cause the browser to
load external image resources.
Update to 5.0.35
https://community.otrs.com/release-notes-otrs-5s-patch-level-35/
CVE-2019-10067, boo#1139406, OSA-2019-05:
Reflected and Stored XSS An attacker who is logged into OTRS as an agent
user with appropriate permissions may manipulate the URL to cause
execution of JavaScript in the context of OTRS.
CVE-2019-9892, boo#1139406, OSA-2019-04:
XXE Processing An attacker who is logged into OTRS as an agent user with
appropriate permissions may try to import carefully crafted Report
Statistics XML that will result in reading of arbitrary files of OTRS
filesystem.
Update to 5.0.34
https://community.otrs.com/release-notes-otrs-5s-patch-level-34/
CVE-2019-9752, boo#1122560, OSA-2019-01: Stored XSS An attacker who is
logged into OTRS as an agent or a customer user may upload a carefully
crafted resource in order to cause execution
of JavaScript in the context of OTRS.
Update to 5.0.33
Update to 5.0.26
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or βzypper patchβ.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-551=1
openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-551=1
openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2020-551=1
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
openSUSE Leap | 15.1 | noarch | <Β - openSUSE Leap 15.1 (noarch): | - openSUSE Leap 15.1 (noarch):.noarch.rpm | |
openSUSE Backports SLE | 15-SP1 | noarch | - opensuse backports sle | <Β 15-SP1 (noarch): | - openSUSE Backports SLE-15-SP1 (noarch):.noarch.rpm |
openSUSE Backports SLE | 15 | noarch | <Β openSUSE Backports SLE-15 (noarch): | - openSUSE Backports SLE-15 (noarch):.noarch.rpm |
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N