Latest otrs otrs Vulnerabilities

CVE-2024-23790
Missing file type check in avatar picture upload
Otrs Otrs>=7.0.0<7.0.49
Otrs Otrs>=8.0.0<2024.1.1
CVE-2024-23791
Unnecessary data is written to log if issues during indexing occurs
Otrs Otrs>=7.0.0<7.0.49
Otrs Otrs>=8.0.0<2024.1.1
CVE-2024-23792
Insufficient access control
Otrs Otrs>=7.0.0<7.0.49
Otrs Otrs>=8.0.0<2024.1.1
CVE-2023-6254
Password is send back to client
Otrs Otrs>=8.0.1<=8.0.37
CVE-2023-5422
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certif...
Otrs Otrs>=6.0.0<=6.0.34
Otrs Otrs>=7.0.0<7.0.47
Otrs Otrs>=8.0.0<8.0.37
CVE-2023-5421
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the da...
Otrs Otrs>=6.0.0<=6.0.34
Otrs Otrs>=7.0.0<7.0.47
Otrs Otrs>=8.0.0<8.0.37
CVE-2023-38059
The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: f...
Otrs Otrs>=6.0.0<=6.0.34
Otrs Otrs>=7.0.0<7.0.47
Otrs Otrs>=8.0.0<8.0.37
CVE-2023-38057
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a...
OTRS Survey>=6.0.0<=6.0.22
OTRS Survey>=7.0.0<7.0.32
OTRS Survey>=8.0.0<8.0.13
Otrs Otrs>=6.0.0<=6.0.22
Otrs Otrs>=7.0.0<7.0.32
Otrs Otrs>=8.0.0<8.0.13
CVE-2023-38058
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This is...
Otrs Otrs>=8.0.0<8.0.35
CVE-2023-38056
Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges lo...
Otrs Otrs>=6.0.1<=6.0.34
Otrs Otrs>=7.0.0<7.0.45
Otrs Otrs>=8.0.0<8.0.35
CVE-2023-38060
Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker...
Otrs Otrs>=6.0.1<=6.0.34
Otrs Otrs>=8.0.0<8.0.35
Otrs Otrs>=7.0.0<7.0.45
CVE-2023-2534
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. Us...
Otrs Otrs>=8.0.0<8.0.32
CVE-2018-17883
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent ope...
Otrs Otrs>=6.0.0<6.0.12
CVE-2023-1248
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS:...
Otrs Otrs>=6.0.1<=6.0.34
Otrs Otrs>=7.0.0<7.0.42
CVE-2022-4427
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, ...
Otrs Otrs>=6.0.1<=6.0.34
Otrs Otrs>=7.0.1<7.0.40
Otrs Otrs>=8.0.1<8.0.28
Otrs Otrs=7.0.40
Otrs Otrs=8.0.28
CVE-2022-3501
Article template contents with sensitive data could be accessed from agents without permissions.
Otrs Otrs>=8.0.0<8.0.26
CVE-2022-39052
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
Otrs Otrs>=6.0.0<=6.0.32
Otrs Otrs>=7.0.0<7.0.39
Otrs Otrs>=8.0.0<8.0.26
CVE-2022-39050
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored ...
Otrs Otrs>=6.0.0<=6.0.32
Otrs Otrs>=7.0.0<7.0.37
Otrs Otrs>=8.0.0<8.0.25
CVE-2022-39051
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
Otrs Otrs>=6.0.0<=6.0.32
Otrs Otrs>=7.0.0<7.0.37
Otrs Otrs>=8.0.0<8.0.25
CVE-2021-36100
Specially crafted string in OTRS system configuration can allow the execution of any system command.
Otrs Otrs<7.0.28
Otrs Otrs>=7.0.30<7.0.33
Otrs Otrs>=8.0.0<8.0.21
Otrs Otrs Itsm<7.0.19
Otrs Otrs Itsm>=8.0.0<8.0.28
Otrs Otrs Storm<8.0.12
CVE-2022-0475
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x ve...
Otrs Otrs>=7.0.0<=7.0.32
Otrs Otrs>=8.0.0<=8.0.19
CVE-2022-1004
Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
Otrs Otrs>=7.0.0<7.0.33
Otrs Otrs>=8.0.0<8.0.20
CVE-2022-0473
Otrs Otrs>=7.0.0<7.0.32
CVE-2021-36097
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue af...
Otrs Otrs>=8.0.0<=8.0.16
CVE-2021-36096
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS A...
Otrs Otrs>=6.0.1
Otrs Otrs>=7.0.0<7.0.29
Otrs Otrs>=8.0.0<8.0.16
CVE-2021-36095
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0...
Otrs Otrs>=6.0.1
Otrs Otrs>=7.0.0<7.0.29
CVE-2021-36093
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versi...
Otrs Otrs>=6.0.1
Otrs Otrs>=7.0.0<7.0.29
Otrs Otrs>=8.0.0<8.0.16
CVE-2013-4718
Otrs Otrs>=3.0.0<=3.0.21
Otrs Otrs>=3.1.0<=3.1.17
Otrs Otrs>=3.2.0<=3.2.8
Otrs Otrs Itsm>=3.0.0<=3.0.8
Otrs Otrs Itsm>=3.1.0<=3.1.9
Otrs Otrs Itsm>=3.2.0<=3.2.6
CVE-2021-21443
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTR...
Otrs Otrs>=6.0.0<=6.0.32
Otrs Otrs>=7.0.0<=7.0.27
CVE-2021-36092
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later ve...
Otrs Otrs>=6.0.0<=6.0.32
Otrs Otrs>=7.0.0<7.0.28
Otrs Otrs>=8.0.0<8.0.15
CVE-2021-21440
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS A...
Otrs Otrs>=6.0.0<=6.0.1
Otrs Otrs>=7.0.0<=7.0.27
Otrs Otrs>=8.0.0<=8.0.14
CVE-2021-36091
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x ...
Otrs Otrs>=6.0.0<6.0.32
Otrs Otrs>=7.0.0<7.0.28
CVE-2021-21441
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially...
Otrs Otrs>=6.0.1
Otrs Otrs>=7.0.0<=7.0.26
CVE-2021-21439
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt...
Otrs Otrs>=6.0.1<=6.0.30
Otrs Otrs>=7.0.0<7.0.27
Otrs Otrs>=8.0.0<8.0.14
CVE-2021-21438
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
Otrs Faq>=6.0.0<6.0.29
Otrs Otrs>=7.0.0<7.0.24
CVE-2021-21435
Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0....
Otrs Otrs>=6.0.0<=6.0.30
Otrs Otrs>=7.0.0<=7.0.23
Otrs Otrs>=8.0.0<=8.0.10
CVE-2020-1778
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.
Otrs Otrs<=8.0.9
CVE-2020-1777
Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask rea...
Otrs Otrs>=7.0.0<=7.0.21
Otrs Otrs>=8.0.0<=8.0.6
CVE-2020-1776
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affect...
Otrs Otrs<6.0.29
Otrs Otrs>=7.0.0<7.0.19
Otrs Otrs>=8.0.1<8.0.5
CVE-2020-1775
BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions.
Otrs Otrs>=7.0.0<7.0.18
Otrs Otrs>=8.0.0<8.0.3
CVE-2020-1774
When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of ...
Otrs Otrs>=5.0.0<=5.0.42
Otrs Otrs>=6.0.0<=6.0.27
Otrs Otrs>=7.0.0<=7.0.16
Debian Debian Linux=8.0
CVE-2020-1773
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, passwo...
Otrs Otrs>=5.0.0<=5.0.41
Otrs Otrs>=6.0.0<=6.0.26
Otrs Otrs>=7.0.0<=7.0.15
CVE-2020-1769
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0....
Otrs Otrs>=5.0.0<=5.0.41
Otrs Otrs>=6.0.0<=6.0.26
Otrs Otrs>=7.0.0<=7.0.15
openSUSE Backports SLE=15.0
openSUSE Backports SLE=15.0-sp1
openSUSE Backports SLE=15.0-sp2
and 2 more
CVE-2020-1770
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior v...
Otrs Otrs>=5.0.0<=5.0.41
Otrs Otrs>=6.0.0<=6.0.26
Otrs Otrs>=7.0.0<=7.0.15
openSUSE Backports SLE=15.0
openSUSE Backports SLE=15.0-sp1
openSUSE Backports SLE=15.0-sp2
and 3 more
CVE-2020-1771
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter enco...
Otrs Otrs>=5.0.0<=5.0.41
Otrs Otrs>=6.0.0<=6.0.26
Otrs Otrs>=7.0.0<=7.0.15
CVE-2020-1772
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue ...
Otrs Otrs>=5.0.0<=5.0.41
Otrs Otrs>=6.0.0<=6.0.26
Otrs Otrs>=7.0.0<=7.0.15
openSUSE Backports SLE=15.0
openSUSE Backports SLE=15.0-sp1
openSUSE Backports SLE=15.0-sp2
and 3 more
CVE-2019-16375
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or cust...
Otrs Otrs>=5.0.0<=5.0.37
Otrs Otrs>=6.0.0<=6.0.22
Otrs Otrs>=7.0.0<=7.0.11
CVE-2019-13457
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same Custome...
Otrs Otrs>=7.0.0<=7.0.8
CVE-2019-10065
An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from in...
Otrs Otrs>=7.0.0<=7.0.6
CVE-2013-3551
Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2....
Otrs Otrs>=3.0.0<3.0.20
Otrs Otrs>=3.1.0<3.1.16
Otrs Otrs>=3.2.0<3.2.7
Otrs Otrs Itsm>=3.0.0<3.0.8
Otrs Otrs Itsm>=3.1.0<3.1.9
Otrs Otrs Itsm>=3.2.0<3.2.5

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203