VuXML ID | Description |
0c5cf7c4-856e-11e4-a089-60a44c524f57 | otrs -- Incomplete Access Control
The OTRS project reports:
An attacker with valid OTRS credentials could access and manipulate ticket data
of other users via the GenericInterface, if a ticket webservice is configured
and not additionally secured.
Discovery 2014-12-16 Entry 2014-12-16 otrs
gt 3.2.* lt 3.2.17
gt 3.3.* lt 3.3.11
gt 4.0.* lt 4.0.3
http://www.otrs.com/security-advisory-2014-06-incomplete-access-control/
CVE-2014-9324
|
13320091-52a6-11e2-a289-1c4bd681f0cf | otrs -- XSS vulnerability
OTRS Security Advisory reports:
This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker could
send a specially prepared HTML email to OTRS which would cause JavaScript code
to be executed in your browser while displaying the email. In this case this is
achieved by using javascript source attributes with whitespaces.
Discovery 2012-10-16 Entry 2012-12-30 otrs
< 3.1.11
CVE-2012-4751
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
http://www.kb.cert.org/vuls/id/603276
|
1e7f0c11-673a-11e5-98c8-60a44c524f57 | otrs -- Scheduler Process ID File Access
The OTRS project reports:
An attacker with valid LOCAL credentials could access and
manipulate the process ID file for bin/otrs.schduler.pl from the
CLI.
The Proc::Daemon module 0.14 for Perl uses world-writable
permissions for a file that stores a process ID, which allows local
users to have an unspecified impact by modifying this file.
Discovery 2015-09-17 Entry 2015-09-30 otrs
gt 3.2.* lt 3.2.18
gt 3.3.* lt 3.3.15
gt 4.0.* lt 4.0.13
https://www.otrs.com/security-advisory-2015-02-scheduler-process-id-file-access/
CVE-2015-6842
CVE-2013-7135
|
49a6026a-52a3-11e2-a289-1c4bd681f0cf | otrs -- XSS vulnerability in Internet Explorer
OTRS Security Advisory reports:
This advisory covers vulnerabilities discovered in the OTRS core
system. Due to the XSS vulnerability in Internet Explorer an attacker could send
a specially prepared HTML email to OTRS which would cause JavaScript code to be
executed in your Internet Explorer while displaying the email.
Discovery 2012-08-22 Entry 2012-12-30 otrs
< 3.1.9
CVE-2012-2582
http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-01/
|
661bd031-c37d-11e2-addb-60a44c524f57 | otrs -- XSS vulnerability
The OTRS Project reports:
An attacker with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.
Discovery 2013-04-02 Entry 2013-05-23 otrs
< 3.1.8
CVE-2013-2637
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/
|
6b575419-14cf-11df-a628-001517351c22 | otrs -- SQL injection
OTRS Security Advisory reports:
Missing security quoting for SQL statements allows agents and
customers to manipulate SQL queries. So it's possible for
authenticated users to inject SQL queries
via string manipulation of statements.
A malicious user may be able to manipulate SQL queries to read
or modify records in the database. This way it could also be
possible to get access to more permissions (e. g. administrator
permissions).
To use this vulnerability the malicious user needs to have
a valid Agent- or Customer-session.
Discovery 2010-02-08 Entry 2010-02-08 Modified 2010-05-02 otrs
< 2.4.7
CVE-2010-0438
http://otrs.org/advisory/OSA-2010-01-en/
|
70b72a52-9e54-11e3-babe-60a44c524f57 | otrs -- XSS Issue
The OTRS Project reports:
An attacker could send a specially prepared HTML email to OTRS. If
he can then trick an agent into following a special link to display this email,
JavaScript code would be executed.
Discovery 2014-02-25 Entry 2014-02-25 otrs
< 3.1.20
gt 3.2.* lt 3.2.15
gt 3.3.* lt 3.3.5
https://www.otrs.com/security-advisory-2014-03-xss-issue/
CVE-2014-1695
|
84065569-7fb4-11e2-9c5a-000d601460a4 | otrs -- XSS vulnerability could lead to remote code execution
The OTRS Project reports:
This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your browser while displaying the
email. In this case this is achieved by using javascript source
attributes with whitespaces.
Affected by this vulnerability are all releases of OTRS 2.4.x up to
and including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to
and including 3.1.10.
Discovery 2012-10-16 Entry 2013-02-25 otrs
ge 3.1.* lt 3.1.11
CVE-2012-4751
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03
|
86baa0d4-c997-11e0-8a8e-00151735203a | OTRS -- Vulnerabilities in OTRS-Core allows read access to any file on local file system
OTRS Security Advisory reports:
- An attacker with valid session and admin permissions could
get read access to any file on the servers local operating
system. For this it would be needed minimum one installed
OTRS package.
Discovery 2011-08-16 Entry 2011-08-18 otrs
gt 2.1.* lt 3.0.10
CVE-2011-2746
http://otrs.org/advisory/OSA-2011-03-en/
|
8b97d289-d8cf-11e2-a1f5-60a44c524f57 | otrs -- information disclosure
The OTRS Project reports:
An attacker with a valid agent login could manipulate URLs in the ticket
watch mechanism to see contents of tickets they are not permitted to see.
Discovery 2013-06-18 Entry 2013-06-19 otrs
< 3.2.8
CVE-2013-4088
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
|
95a69d1a-52a5-11e2-a289-1c4bd681f0cf | otrs -- XSS vulnerability in Firefox and Opera
OTRS Security Advisory reports:
This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker could
send a specially prepared HTML email to OTRS which would cause JavaScript code
to be executed in your browser while displaying the email in Firefox and Opera.
In this case this is achieved with an invalid HTML structure with nested tags.
Discovery 2012-08-30 Entry 2012-12-30 otrs
< 3.1.10
CVE-2012-4600
http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-02/
|
96e776c7-e75c-11df-8f26-00151735203a | OTRS -- Multiple XSS and denial of service vulnerabilities
OTRS Security Advisory reports:
- Multiple Cross Site Scripting issues:
Missing HTML quoting allows authenticated agents or
customers to inject HTML tags. This vulnerability
allows an attacker to inject script code into the OTRS
web-interface which will be loaded and executed
in the browsers of system users.
- Possible Denial of Service Attack:
Perl's regular expressions consume 100% CPU time
on the server if an agent or customer views an affected
article. To exploit this vulnerability the malicious user
needs to send extremely large HTML emails to your
system address.
AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:
Whenever a customer sends an HTML e-mail and RichText is enabled
in OTRS, javascript contained in the email can do everything
in the OTRS agent interface that the agent himself could do.
Most relevant is that this type of exploit can be used in such
a way that the agent won't even detect he is being exploited.
Discovery 2010-09-15 Entry 2010-11-03 otrs
gt 2.3.* lt 2.4.9
CVE-2010-2080
CVE-2010-4071
http://otrs.org/advisory/OSA-2010-02-en/
http://otrs.org/advisory/OSA-2010-03-en/
|
a4372a68-652c-11e0-a25a-00151735203a | OTRS -- Several XSS attacks possible
OTRS Security Advisory reports:
- Several XSS attacks possible:
An attacker could trick a logged in user to following a prepared
URL inside of the OTRS system which causes a page to be shown that
possibly includes malicious !JavaScript code because of incorrect
escaping during the generation of the HTML page.
Discovery 2011-03-12 Entry 2011-04-12 otrs
gt 2.3.* lt 3.0.7
CVE-2011-1518
http://otrs.org/advisory/OSA-2011-01-en/
|
a5b24a6b-c37c-11e2-addb-60a44c524f57 | otrs -- information disclosure
The OTRS Project reports:
An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets and they are not permitted to see.
Discovery 2013-05-22 Entry 2013-05-23 otrs
< 3.2.7
CVE-2013-3551
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/
|
b50cbbc0-7fb2-11e2-9c5a-000d601460a4 | otrs -- XSS vulnerability in Internet Explorer could lead to remote code execution
The OTRS Project reports:
This advisory covers vulnerabilities discovered in the OTRS core
system. Due to the XSS vulnerability in Internet Explorer an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your Internet Explorer while
displaying the email.
Affected by this vulnerability are all releases of OTRS 2.4.x up to
and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to
and including 3.1.8 in combination with Internet Explorer.
Discovery 2012-08-22 Entry 2013-02-25 otrs
ge 3.1.* lt 3.1.9
CVE-2012-2582
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01
|
c7b5d72b-886a-11e3-9533-60a44c524f57 | otrs -- multiple vulnerabilities
The OTRS Project reports:
SQL injection issue
An attacker that managed to take over the session of a logged in customer
could create tickets and/or send follow-ups to existing tickets due to
missing challenge token checks.
Discovery 2014-01-28 Entry 2014-01-28 Modified 2014-02-06 otrs
< 3.1.19
gt 3.2.* lt 3.2.14
gt 3.3.* lt 3.3.4
CVE-2014-1471
https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
|
cebd05d6-ed7b-11e7-95f2-005056925db4 | OTRS -- Multiple vulnerabilities
OTRS reports:
An attacker who is logged into OTRS as an agent can request special URLs
from OTRS which can lead to the execution of shell commands with the
permissions of the web server user.
An attacker who is logged into OTRS as a customer can use the ticket search
form to disclose internal article information of their customer tickets.
An attacker who is logged into OTRS as an agent can manipulate form
parameters and execute arbitrary shell commands with the permissions of the
OTRS or web server user.
An attacker can send a specially prepared email to an OTRS system. If this
system has cookie support disabled, and a logged in agent clicks a link in this
email, the session information could be leaked to external systems, allowing the
attacker to take over the agentâs session.
Discovery 2017-11-21 Entry 2017-12-30 otrs
< 5.0.26
CVE-2017-16664
CVE-2017-16854
CVE-2017-16921
ports/224729
https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/
https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
|
d60199df-7fb3-11e2-9c5a-000d601460a4 | otrs -- XSS vulnerability in Firefox and Opera could lead to remote code execution
The OTRS Project reports:
This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your browser while displaying the
email in Firefox and Opera. In this case this is achieved with an
invalid HTML structure with nested tags.
Affected by this
vulnerability are all releases of OTRS 2.4.x up to and including
2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including
3.1.9 in combination with Firefox and Opera.
Discovery 2012-08-30 Entry 2013-02-25 otrs
ge 3.1.* lt 3.1.10
CVE-2012-4600
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02
|
e3e788aa-e9fd-11e2-a96e-60a44c524f57 | otrs -- Sql Injection + Xss Issue
The OTRS Project reports:
An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.
Discovery 2013-07-09 Entry 2013-07-11 otrs
< 3.2.9
CVE-2013-4717
CVE-2013-4718
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/
|
eae8e3cf-9dfe-11e2-ac7f-001fd056c417 | otrs -- Information disclosure and Data manipulation
The OTRS Project reports:
An attacker with a valid agent login could manipulate URLs in the
object linking mechanism to see titles of tickets and other objects
that are not obliged to be seen. Furthermore, links to objects without
permission can be placed and removed.
Discovery 2013-04-02 Entry 2013-04-05 otrs
< 3.1.14
CVE-2013-2625
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/
|
ffa7c6e4-bb29-11e3-8136-60a44c524f57 | otrs -- Clickjacking issue
The OTRS Project reports:
An attacker could embed OTRS in a hidden iframe tag of another
page, tricking the user into clicking links in OTRS.
Discovery 2014-04-01 Entry 2014-04-03 otrs
< 3.1.21
gt 3.2.* lt 3.2.16
gt 3.3.* lt 3.3.6
http://www.w3.org/1999/xhtml
CVE-2014-2554
|