CVSS: 8.8EPSS: 0%CPEs: 82EXPL: 0CVE-2017-14635 – Debian Security Advisory 4021-1
https://notcve.org/view.php?id=CVE-2017-14635
21 Sep 2017 — In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. En OTRS (Open Ticket Request System) en versiones 3.3.x anteriores a la 3.3.18, 4.x anteriores a la 4.0.25 y 5.x anteriores a la 5.0.23, los usuarios autenticados remotos pueden utilizar los permisos de escritura de estadísticas para obtener privilegios mediante la inyección de código. It was discovered... • https://www.debian.org/security/2017/dsa-4021 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 1CVE-2017-9324 – Debian Security Advisory 3876-1
https://notcve.org/view.php?id=CVE-2017-9324
08 Jun 2017 — In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. En Open Ticket Request System (OTRS) versión 3.3.x hasta la versión 3.3.16, versi... • https://packetstorm.news/files/id/142862 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9299
https://notcve.org/view.php?id=CVE-2017-9299
29 May 2017 — Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. NOTE: this CVE may have limited relevance because it represents a 2017 discovery of an issue in software from 2014. The 3.3.20 release, for example, is not affected. Open Ticket Request System (OTRS) 3.3.9 tiene XSS en las peticiones index.pl? • http://code610.blogspot.com/2017/05/turnkey-feat-otrs.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 133EXPL: 0CVE-2016-9139
https://notcve.org/view.php?id=CVE-2016-9139
16 Feb 2017 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.3.x en versiones anteriores a 3.3.16, 4.0.x en versiones anteriores a 4.0.19 y 5.0.x en versiones anteriores a 5.0.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ad... • http://www.securityfocus.com/bid/94141 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 31EXPL: 0CVE-2014-9324 – Debian Security Advisory 3124-1
https://notcve.org/view.php?id=CVE-2014-9324
19 Dec 2014 — The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. GenericInterface en OTRS Help Desk 3.2.x anterior a 3.2.17, 3.3.x anterior a 3.3.11 y 4.0.x anterior a 4.0.3 permiten a usuarios remotos autenticados acceder y modificar tickets arbitrarios a través de vectores sin especificar. Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered a privilege... • http://advisories.mageia.org/MGASA-2015-0031.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2554 – Mandriva Linux Security Advisory 2014-111
https://notcve.org/view.php?id=CVE-2014-2554
23 Apr 2014 — OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. OTRS 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a atacantes remotos realizar ataques de clickjacking a través de un elemento IFRAME. A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS. An attacker could embed OTRS in a hidden iframe tag of another page, tr... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 54EXPL: 0CVE-2014-2553 – Mandriva Linux Security Advisory 2014-111
https://notcve.org/view.php?id=CVE-2014-2553
02 Apr 2014 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través de vectores relacionados con campos ... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 48EXPL: 3CVE-2014-1695 – OTRS < 3.1.x / < 3.2.x / < 3.3.x - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1695
28 Feb 2014 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.20, 3.2.x anterior a 3.2.15 y 3.3.x anterior a 3.3.5 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un email HTML manipulado. An attacker could send a specially prepare... • https://packetstorm.news/files/id/131654 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 45EXPL: 3CVE-2014-1694 – Debian Security Advisory 2867-1
https://notcve.org/view.php?id=CVE-2014-1694
04 Feb 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets. Múltiples vulnerabilidades de CSRF en (1) CustomerPreferenc... • http://bugs.otrs.org/show_bug.cgi?id=10099 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 1%CPEs: 45EXPL: 0CVE-2014-1471 – Debian Security Advisory 2867-1
https://notcve.org/view.php?id=CVE-2014-1471
04 Feb 2014 — SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. Vulnerabilidad de inyección SQL en la función StateGetStatesByType en Kernel/System/State.pm en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a ata... • http://osvdb.org/102661 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •