9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.3%
DISPUTED In the Admin Package Manager in Open Ticket Request System
(OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins
are able to exploit a Blind Remote Code Execution vulnerability by loading
a crafted opm file with an embedded CodeInstall element to execute a
command on the server during package installation. NOTE: the vendor
disputes this issue stating “the behaviour is as designed and needed for
different packages to be installed”, “there is a security warning if the
package is not verified by OTRS Group”, and “there is the possibility and
responsibility of an admin to check packages before installation which is
possible as they are not binary.”
Author | Note |
---|---|
msalvatore | Vendor states that everything is functioning as designed. Ignoring as this CVE is disputed. |
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.3%