Otrs

Improper Input Validation vulnerability in the upload functionality for user avatars

CVE-2024-23790 9.8 - Critical - January 29, 2024

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.

Improper Validation of Integrity Check Value

Insertion of debug information into log file during building the elastic search index

CVE-2024-23791 7.5 - High - January 29, 2024

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

Insertion of Sensitive Information into Log File

When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user

CVE-2024-23792 6.5 - Medium - January 29, 2024

When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

authentification

A Vulnerability in OTRS AgentInterface and ExternalInterface

CVE-2023-6254 7.5 - High - November 27, 2023

A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37.

Insufficiently Protected Credentials

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication

CVE-2023-5422 9.1 - Critical - October 16, 2023

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

Improper Certificate Validation

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code

CVE-2023-5421 5.5 - Medium - October 16, 2023

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

XSS

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload

CVE-2023-38059 5.3 - Medium - October 16, 2023

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

An improper privilege check in the OTRS ticket move action in the agent interface

CVE-2023-38058 4.3 - Medium - July 24, 2023

An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.

AuthZ

Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules

CVE-2023-38060 8.8 - High - July 24, 2023

Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment.  This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

Injection

An improper input validation vulnerability in OTRS Survey modules

CVE-2023-38057 5.4 - Medium - July 24, 2023

An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.

XSS

Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g

CVE-2023-38056 7.2 - High - July 24, 2023

Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

Shell injection

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend)

CVE-2023-2534 8.1 - High - May 08, 2023

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32.

AuthZ

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12

CVE-2018-17883 6.1 - Medium - April 16, 2023

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.

XSS

Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules)

CVE-2023-1248 6.1 - Medium - March 20, 2023

Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

XSS

Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules)

CVE-2023-1250 7.8 - High - March 20, 2023

Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

Code Injection

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition

CVE-2022-4427 9.8 - Critical - December 19, 2022

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

SQL Injection

An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system

CVE-2022-39052 6.5 - Medium - October 17, 2022

An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system

Infinite Loop

Article template contents with sensitive data could be accessed

CVE-2022-3501 7.5 - High - October 17, 2022

Article template contents with sensitive data could be accessed from agents without permissions.

AuthZ

An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.

CVE-2022-39049 4.8 - Medium - September 05, 2022

An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.

XSS

Attacker might be able to execute malicious Perl code in the Template toolkit

CVE-2022-39051 8.8 - High - September 05, 2022

Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package

Improper Control of Dynamically-Managed Code Resources

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link

CVE-2022-39050 4.8 - Medium - September 05, 2022

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap

XSS

When Secure::DisableBanner system configuration has been disabled and agent shares his calendar

CVE-2022-32739 5.3 - Medium - June 13, 2022

When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.

A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.

CVE-2022-32740 5.3 - Medium - June 13, 2022

A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.

Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature

CVE-2022-32741 5.3 - Medium - June 13, 2022

Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.

Specially crafted string in OTRS system configuration can

CVE-2021-36100 8.8 - High - March 21, 2022

Specially crafted string in OTRS system configuration can allow the execution of any system command.

Shell injection

Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed)

CVE-2022-0475 5.4 - Medium - March 21, 2022

Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.

XSS

Accounted time is shown in the Ticket Detail View (External Interface)

CVE-2022-1004 4.3 - Medium - March 21, 2022

Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.

Information Disclosure

Full list of recipients

CVE-2022-0474 3.5 - Low - February 07, 2022

Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions.

Information Disclosure

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check

CVE-2022-0473 4.8 - Medium - February 07, 2022

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.

XSS

Agents are able to lock the ticket without the "Owner" permission

CVE-2021-36097 4.3 - Medium - October 18, 2021

Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.

Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden

CVE-2021-36096 4.9 - Medium - September 06, 2021

Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.

Cleartext Storage of Sensitive Information

It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS

CVE-2021-36093 5.3 - Medium - September 06, 2021

It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.

It's possible to craft a request for appointment edit screen, which could lead to the XSS attack

CVE-2021-36094 5.4 - Medium - September 06, 2021

It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.

XSS

Malicious attacker is able to find out valid user logins by using the "lost password" feature

CVE-2021-36095 5.3 - Medium - September 06, 2021

Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.

Weak Password Recovery Mechanism for Forgotten Password

Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9

CVE-2013-4717 8.8 - High - August 09, 2021

Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm.

SQL Injection

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7

CVE-2013-4718 5.4 - Medium - August 09, 2021

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search.

XSS

Agents are able to list customer user emails without required permissions in the bulk action screen

CVE-2021-21443 4.3 - Medium - July 26, 2021

Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden

CVE-2021-21440 6.5 - Medium - July 26, 2021

Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.

Agents are able to list appointments in the calendars without required permissions

CVE-2021-36091 4.3 - Medium - July 26, 2021

Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

AuthZ

It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack

CVE-2021-36092 6.1 - Medium - July 26, 2021

It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.

XSS

There is a XSS vulnerability in the ticket overview screens

CVE-2021-21441 7.5 - High - June 16, 2021

There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions.

XSS

DoS attack can be performed when an email contains specially designed URL in the body

CVE-2021-21439 6.5 - Medium - June 14, 2021

DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.

Improper Handling of Exceptional Conditions

Agents are able to see linked FAQ articles without permissions (defined in FAQ Category)

CVE-2021-21438 4.3 - Medium - March 22, 2021

Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.

Incorrect Default Permissions

Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface

CVE-2021-21435 6.5 - Medium - February 08, 2021

Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.

Information Disclosure

When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid

CVE-2020-1778 4.3 - Medium - November 23, 2020

When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.

authentification

Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets

CVE-2020-1777 5.3 - Medium - October 15, 2020

Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. This issue affects OTRS; 7.0.21 and prior versions, 8.0.6 and prior versions.

Information Disclosure

When an agent user is renamed or set to invalid the session belonging to the user is keept active

CVE-2020-1776 4.3 - Medium - July 20, 2020

When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.

Insufficient Session Expiration

BCC recipients in mails sent from OTRS are visible in article detail on external interface

CVE-2020-1775 4.3 - Medium - June 08, 2020

BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions.

Information Disclosure

When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys

CVE-2020-1774 4.9 - Medium - April 28, 2020

When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.

An attacker with the ability to generate session IDs or password reset tokens

CVE-2020-1773 8.1 - High - March 27, 2020

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.

Insufficient Entropy

It's possible to craft Lost Password requests with wildcards in the Token value, which

CVE-2020-1772 7.5 - High - March 27, 2020

It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript)

CVE-2020-1771 5.4 - Medium - March 27, 2020

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

XSS

Support bundle generated files could contain sensitive information that might be unwanted to be disclosed

CVE-2020-1770 4.3 - Medium - March 27, 2020

Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

Information Disclosure

In the login screens (in agent and customer interface), Username and Password fields use autocomplete

CVE-2020-1769 4.3 - Medium - March 27, 2020

In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11

CVE-2019-16375 5.4 - Medium - March 19, 2020

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.

XSS

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8

CVE-2019-13457 4.3 - Medium - March 10, 2020

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on.

Information Disclosure

An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6

CVE-2019-10065 4.3 - Medium - March 10, 2020

An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753.

The external frontend system uses numerous background calls to the backend

CVE-2020-1768 5.4 - Medium - February 07, 2020

The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions.

Insufficient Session Expiration

Agent A is able to save a draft (i.e

CVE-2020-1767 4.3 - Medium - January 10, 2020

Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript

CVE-2020-1766 6.1 - Medium - January 10, 2020

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

XSS

An improper control of parameters

CVE-2020-1765 5.3 - Medium - January 10, 2020

An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12

CVE-2019-18179 4.3 - Medium - January 06, 2020

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.

Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g

CVE-2019-18180 7.5 - High - December 05, 2019

Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions.

Infinite Loop

An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19

CVE-2019-12746 6.5 - Medium - August 21, 2019

An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.

Information Disclosure

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8

CVE-2019-13458 6.5 - Medium - August 21, 2019

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7

CVE-2018-11563 4.6 - Medium - July 08, 2019

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7

CVE-2019-12248 4.3 - Medium - June 17, 2019

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser to load external image resources.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8

CVE-2019-12497 5.3 - Medium - June 17, 2019

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes.

Information Disclosure

An issue was discovered in Open Ticket Request System (OTRS) 7.x before 7.0.5

CVE-2019-9753 4.3 - Medium - June 03, 2019

An issue was discovered in Open Ticket Request System (OTRS) 7.x before 7.0.5. An attacker who is logged into OTRS as an agent or a customer user can use the search result screens to disclose information from invalid system entities. Following is the list of affected entities: Custom Pages, FAQ Articles, Service Catalogue Items, ITSM Configuration Items.

Information Disclosure

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6

CVE-2019-10066 5.4 - Medium - May 22, 2019

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.

XSS

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17

CVE-2019-10067 5.4 - Medium - May 22, 2019

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.

XSS

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6

CVE-2019-9892 6.5 - Medium - May 22, 2019

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.

aka Blind XPath Injection

An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13

CVE-2018-20800 6.5 - Medium - March 13, 2019

An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13. Users updating to 6.0.13 (also patchlevel updates) or 5.0.31 (only major updates) will experience data loss in their agent preferences table.

Improper Input Validation

An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4

CVE-2019-9752 5.4 - Medium - March 13, 2019

An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.

XSS

An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5

CVE-2019-9751 4.8 - Medium - March 13, 2019

An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.

XSS

An issue was discovered in OTRS 6.0.x before 6.0.7

CVE-2018-10198 4.3 - Medium - June 06, 2018

An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets.

Information Disclosure

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1

CVE-2018-7567 7.2 - High - March 04, 2018

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verified by OTRS Group", and "there is the possibility and responsibility of an admin to check packages before installation which is possible as they are not binary.

Unrestricted File Upload

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent

CVE-2017-16921 8.8 - High - December 08, 2017

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.

Shell injection