CVE-2021-21438 – FAQ articles are shown to users without permission
https://notcve.org/view.php?id=CVE-2021-21438
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions. Los agentes pueden ser capaces de visualizar artículos de FAQ vinculados sin permisos (definidos en la categoría FAQ). Este problema afecta a: FAQ versión 6.0.29 y anteriores, OTRS versión 7.0.24 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2021-08 • CWE-264: Permissions, Privileges, and Access Controls CWE-276: Incorrect Default Permissions •
CVE-2013-2625
https://notcve.org/view.php?id=CVE-2013-2625
An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19, OTRS ITSM before 3.2.3, 3.1.8, and 3.0.7, and FAQ before 2.2.3, 2.1.4, and 2.0.8. Access rights by the object linking mechanism is not verified Existe un problema de Omisión de Acceso en OTRS Help Desk versiones anteriores a la versión 3.2.4, 3.1.14 y 3.0.19, OTRS ITSM versiones anteriores a la versión 3.2.3, 3.1.8 y 3.0.7, y FAQ versiones anteriores a la versión 2.2.3, 2.1.4, y 2.0.8. Los derechos de acceso por el mecanismo de enlace de objetos no son comprobados. • http://archives.neohapsis.com/archives/bugtraq/2013-08/0009.html http://lists.opensuse.org/opensuse-updates/2013-08/msg00027.html http://www.securityfocus.com/bid/58936 https://exchange.xforce.ibmcloud.com/vulnerabilities/83287 https://security-tracker.debian.org/tracker/CVE-2013-2625 • CWE-269: Improper Privilege Management •
CVE-2016-5843
https://notcve.org/view.php?id=CVE-2016-5843
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters. Múltiples vulnerabilidades de inyección SQL en el paquete FAQ 2.x en versiones anteriores a 2.3.6, 4.x en versiones anteriores a 4.0.5 y 5.x en versiones anteriores a 5.0.5 en Open Ticket Request System (OTRS) permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través de parámetros de búsqueda manipulados. • http://www.securityfocus.com/bid/93019 https://github.com/OTRS/FAQ/commit/3700f75c67f6ed1d39bc213445c6d12a458e1af9 https://github.com/OTRS/FAQ/commit/8c9d63bd0297adda760330805c31afc130861557 https://github.com/OTRS/FAQ/commit/b805703e7b7725d1f3040bb626a4c4dd845ee9e3 https://www.otrs.com/security-advisory-2016-01-security-update-otrs-faq-package • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-2637 – OTRS 3.x - FAQ Module Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2637
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en OTRS ITSM versiones anteriores a 3.2.4, 3.1.8 y 3.0.7 y FAQ versiones anteriores a 2.1.4 y 2.0.8, por medio de changes, workorder items, y FAQ articles, podrían permitir a un usuario malicioso remoto ejecutar código arbitrario. • https://www.exploit-db.com/exploits/24922 http://lists.opensuse.org/opensuse-updates/2013-08/msg00027.html http://www.exploit-db.com/exploits/24922 http://www.securityfocus.com/bid/58930 https://exchange.xforce.ibmcloud.com/vulnerabilities/83288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •