CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-19141
https://notcve.org/view.php?id=CVE-2018-19141
Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 allows an admin to conduct an XSS attack via a modified URL because user and customer preferences are mishandled. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.33 y 5.0.x anteriores a la 5.0.31 permite que un administrador realice un ataque Cross-Site Scripting (XSS) mediante una URL modificada porque las preferencias de usuario y cliente se gestionan de manera incorrecta. • https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2018/11/msg00028.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-19143
https://notcve.org/view.php?id=CVE-2018-19143
Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and 6.0.x before 6.0.13 allows an authenticated user to delete files via a modified submission form because upload caching is mishandled. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.33, 5.0.x anteriores a la 5.0.31 y 6.0.x anteriores a la 6.0.13 permite que un usuario autenticado elimine los archivos a través de un formulario de envío modificado, ya que el almacenamiento en caché de la carga se maneja de forma incorrecta. • https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2018/11/msg00028.html • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-16587
https://notcve.org/view.php?id=CVE-2018-16587
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to. En Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.32, versiones 5.0.x anteriores a la 5.0.30 y versiones 6.0.x anteriores a la 6.0.11, un atacante podría enviar un email malicioso a un sistema OTRS. Si un usuario con permisos de administrador lo abre, provoca eliminaciones de archivos arbitrarios a los que el servidor web OTRS tiene acceso de escritura. • https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01 https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843 https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711 https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html https://www.debian.org/security/2018/dsa-4317 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2018-16586
https://notcve.org/view.php?id=CVE-2018-16586
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources. En Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.32, versiones 5.0.x anteriores a la 5.0.30 y versiones 6.0.x anteriores a la 6.0.11, un atacante podría enviar un email malicioso a un sistema OTRS. Si un usuario que haya iniciado sesión lo abre, el email podría provocar que el navegador cargue una imagen externa o recursos CSS. • https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963 https://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7 https://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302 https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html https://www.debian.org/security/2018/dsa-4317 •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14593
https://notcve.org/view.php?id=CVE-2018-14593
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is logged into OTRS as an agent may escalate their privileges by accessing a specially crafted URL. Se ha descubierto un problema en Open Ticket Request System (OTRS), en versiones 6.0.x anteriores a la 6.0.9, versiones 5.0.x anteriores a la 5.0.28 y versiones 4.0.x anteriores a la 4.0.30. Un atacante que haya iniciado sesión en OTRS como agente podría escalar sus privilegios accediendo a una URL especialmente manipulada. • https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/?lang=de https://lists.debian.org/debian-lts-announce/2018/08/msg00021.html https://www.debian.org/security/2018/dsa-4317 •