CVE-2020-1769 – Autocomplete in the form login screens
https://notcve.org/view.php?id=CVE-2020-1769
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. En las pantallas de inicio de sesión (en la interfaz del agente y cliente), los campos Username y Password usan autocompletar, lo que podría ser considerado un problema de seguridad. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-06 • CWE-16: Configuration •
CVE-2019-16375
https://notcve.org/view.php?id=CVE-2019-16375
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.11, y Community Edition versiones 5.0.x hasta 5.0.37 y versiones 6.0.x hasta 6.0.22. Un atacante que haya iniciado sesión como un usuario agente o cliente con los permisos apropiados puede crear una cadena cuidadosamente diseñada que contenga código JavaScript malicioso como cuerpo del artículo. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://community.otrs.com/category/security-advisories-en https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2019-13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-13457
https://notcve.org/view.php?id=CVE-2019-13457
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.8. Un usuario cliente puede usar los resultados de la búsqueda para divulgar información de sus tickets "company" (con el mismo CustomerID), inclusive cuando la configuración CustomerDisableCompanyTicketAccess está activada. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://otrs.com/release-notes/otrs-security-advisory-2019-11 https://www.otrs.com/category/release-and-security-notes-en • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-10065
https://notcve.org/view.php?id=CVE-2019-10065
An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0 hasta la versión 7.0.6. Un atacante que está registrado en OTRS como un usuario cliente puede usar unas pantallas de resultados de búsqueda para divulgar información de los artículos internos de las FAQ, una vulnerabilidad diferente de CVE-2019-9753. • https://community.otrs.com/category/release-and-security-notes-en https://otrs.com/release-notes/otrs-security-advisory-2019-07 •
CVE-2020-1768 – External Interface does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1768
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. El sistema frontend externo usa numerosas llamadas en segundo plano al backend. Cada petición en segundo plano es tratada como actividad del usuario, por lo que la SessionMaxIdleTime no será alcanzada. • https://otrs.com/release-notes/otrs-security-advisory-2020-04 • CWE-613: Insufficient Session Expiration •