CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
21 Mar 2022 — Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
23 Nov 2020 — When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
20 Jul 2020 — When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-613: Insufficient Session Expiration •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-16854
https://notcve.org/view.php?id=CVE-2017-16854
08 Dec 2017 — In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. En Open Ticket Request System (OTRS) hasta la versión 3.3.20; en las versiones 4 hasta la 4.0.26; en las versiones 5 hasta la 5.0.24 y en las versiones 6 hasta la 6.0.1, un atacante que ha iniciado sesión como cliente puede emplear el formulario de búsqueda de... • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2017-16664
https://notcve.org/view.php?id=CVE-2017-16664
21 Nov 2017 — Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. Existe inyección de código en Kernel/System/Spelling.pm en Open Ticket Request System (OTRS) 5 en versiones anteriores a la5.0.24; 4 en versiones anteriores a la 4.0.26 y 3.3 en versiones anteriores a la 3.3.20. En la interfaz del agente, ... • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-15864
https://notcve.org/view.php?id=CVE-2017-15864
16 Nov 2017 — In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. En Agent Frontend en Open Ticket Request System (OTRS) en sus versiones 3.3.x hasta la 3.3.18, con una URL manipulada es posible obtener información como el usuario y la contraseña de la base de datos. • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html •
CVSS: 8.8EPSS: 0%CPEs: 82EXPL: 0CVE-2017-14635 – Debian Security Advisory 4021-1
https://notcve.org/view.php?id=CVE-2017-14635
21 Sep 2017 — In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. En OTRS (Open Ticket Request System) en versiones 3.3.x anteriores a la 3.3.18, 4.x anteriores a la 4.0.25 y 5.x anteriores a la 5.0.23, los usuarios autenticados remotos pueden utilizar los permisos de escritura de estadísticas para obtener privilegios mediante la inyección de código. It was discovered... • https://www.debian.org/security/2017/dsa-4021 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 1CVE-2017-9324 – Debian Security Advisory 3876-1
https://notcve.org/view.php?id=CVE-2017-9324
08 Jun 2017 — In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. En Open Ticket Request System (OTRS) versión 3.3.x hasta la versión 3.3.16, versi... • https://packetstorm.news/files/id/142862 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 133EXPL: 0CVE-2016-9139
https://notcve.org/view.php?id=CVE-2016-9139
16 Feb 2017 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.3.x en versiones anteriores a 3.3.16, 4.0.x en versiones anteriores a 4.0.19 y 5.0.x en versiones anteriores a 5.0.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ad... • http://www.securityfocus.com/bid/94141 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 31EXPL: 0CVE-2014-9324 – Debian Security Advisory 3124-1
https://notcve.org/view.php?id=CVE-2014-9324
19 Dec 2014 — The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. GenericInterface en OTRS Help Desk 3.2.x anterior a 3.2.17, 3.3.x anterior a 3.3.11 y 4.0.x anterior a 4.0.3 permiten a usuarios remotos autenticados acceder y modificar tickets arbitrarios a través de vectores sin especificar. Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered a privilege... • http://advisories.mageia.org/MGASA-2015-0031.html • CWE-264: Permissions, Privileges, and Access Controls •