CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2022-03 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-13 • CWE-613: Insufficient Session Expiration •
CVE-2011-2385
https://notcve.org/view.php?id=CVE-2011-2385
The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors. El paquete iPhoneHandle v0.9.x anterior a v0.9.7 y v1.0.x anterios a v1.0.3 en Open Ticket Request System (OTRS) no restringe adecuadamente el uso de intefaces de iPhoneHandle, lo que permite a usuarios autenticados de forma remota obtener privilegios, y en consecuencia, leer o modificar objetos OTRS, a través de vectores desconocidos. • http://osvdb.org/73885 http://otrs.org/advisory/OSA-2011-02-en http://secunia.com/advisories/45227 http://www.securityfocus.com/bid/48678 https://exchange.xforce.ibmcloud.com/vulnerabilities/68558 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2008-7279
https://notcve.org/view.php?id=CVE-2008-7279
The CustomerInterface component in Open Ticket Request System (OTRS) before 2.2.8 allows remote authenticated users to bypass intended access restrictions and access tickets of arbitrary customers via unspecified vectors. El componente CustomerInterface en Open Ticket Request System (OTRS) anterior a v2.2.8 permite a usuarios remotos autenticados eludir las restricciones de acceso impuestas y los tickets clientes arbitrarios a través de vectores no especificados. • http://bugs.otrs.org/show_bug.cgi?id=3103 http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807 • CWE-264: Permissions, Privileges, and Access Controls •