Page 10 of 156 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

11 Nov 2018 — Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and 6.0.x before 6.0.13 allows an authenticated user to delete files via a modified submission form because upload caching is mishandled. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.33, 5.0.x anteriores a la 5.0.31 y 6.0.x anteriores a la 6.0.13 permite que un usuario autenticado elimine los archivos a través de un formulario de envío modificado, ya que el almacenamiento en caché de la carga se maneja de... • https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework • CWE-425: Direct Request ('Forced Browsing') •

CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0

11 Nov 2018 — Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 allows an admin to conduct an XSS attack via a modified URL because user and customer preferences are mishandled. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.33 y 5.0.x anteriores a la 5.0.31 permite que un administrador realice un ataque Cross-Site Scripting (XSS) mediante una URL modificada porque las preferencias de usuario y cliente se gestionan de manera incorrecta. • https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

28 Sep 2018 — In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources. En Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.32, versiones 5.0.x anteriores a la 5.0.30 y versiones 6.0.x anteriores a la 6.0.11, un atacante podría enviar un email malicioso a un sistema OTRS. Si un usuario que ... • https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

28 Sep 2018 — In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to. En Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.32, versiones 5.0.x anteriores a la 5.0.30 y versiones 6.0.x anteriores a la 6.0.11, un atacante podría enviar un email malicioso a un sist... • https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework • CWE-20: Improper Input Validation •

CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0

03 Aug 2018 — An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is logged into OTRS as an agent may escalate their privileges by accessing a specially crafted URL. Se ha descubierto un problema en Open Ticket Request System (OTRS), en versiones 6.0.x anteriores a la 6.0.9, versiones 5.0.x anteriores a la 5.0.28 y versiones 4.0.x anteriores a la 4.0.30. Un atacante que haya iniciado sesión en OTRS como agente podría escalar sus... • https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/?lang=de •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

06 Jun 2018 — An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets. Se ha descubierto un problema en OTRS, en versiones 6.0.x anteriores a la 6.0.7. Un atacante que haya iniciado sesión en OTRS como cliente puede emplear la pantalla de visualización de tickets para revelar información interna de artículos de sus tickets de cliente. • https://community.otrs.com/security-advisory-2018-01-security-update-for-otrs-framework • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 2

03 Mar 2018 — In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verifi... • https://packetstorm.news/files/id/146639 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0

20 Dec 2017 — Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.28, 5.0.x anteriores a la 5.0.26 y 6.0.x anteriores a la 6.0.3, cuando el soporte de cookies está desactivado, podría permitir a los atacantes remotos secuestrar las sesiones web y ganar privilegios e... • https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0

08 Dec 2017 — In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. En Open Ticket Request System (OTRS) hasta la versión 3.3.20; en las versiones 4 hasta la 4.0.26; en las versiones 5 hasta la 5.0.24 y en las versiones 6 hasta la 6.0.1, un atacante que ha iniciado sesión como cliente puede emplear el formulario de búsqueda de... • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.0EPSS: 1%CPEs: 70EXPL: 3

08 Dec 2017 — In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user. En OTRS en versiones 6.0.x hasta e incluyendo 6.0.1; OTRS 5.0.x hasta e incluyendo 5.0.24 y OTRS 4.0.x hasta e incluyendo 4.0.26, un atacante que haya iniciado sesión en OTRS como agente puede manipular ... • https://packetstorm.news/files/id/162295 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •