CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1768 – External Interface does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1768
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. El sistema frontend externo usa numerosas llamadas en segundo plano al backend. Cada petición en segundo plano es tratada como actividad del usuario, por lo que la SessionMaxIdleTime no será alcanzada. • https://otrs.com/release-notes/otrs-security-advisory-2020-04 • CWE-613: Insufficient Session Expiration •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1767 – Possible to send drafted messages as wrong agent
https://notcve.org/view.php?id=CVE-2020-1767
Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. • https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-03 •
CVSS: 6.1EPSS: 1%CPEs: 4EXPL: 0CVE-2020-1766 – Improper handling of uploaded inline images
https://notcve.org/view.php?id=CVE-2020-1766
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Debido al manejo inapropiado de las imágenes cargadas, es posible, en condiciones muy extrañas y poco frecuentes, forzar al navegador de los agentes a ejecutar JavaScript malicioso desde un archivo SVG especial diseñado tal y como un archivo jpg en línea. Este problema afecta a: ((OTRS)) Community Edition versiones 5.0.x versión 5.0.39 y anteriores; versiones 6.0.x versión 6.0.24 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1765 – Spoofing of From field in several screens
https://notcve.org/view.php?id=CVE-2020-1765
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Un control inapropiado de los parámetros permite la suplantación de los campos de las siguientes pantallas: AgentTicketCompose, AgentTicketForward, AgentTicketBounce y AgentTicketEmailOutbound. Este problema afecta a: ((OTRS)) Community Edition versiones 5.0.x versión 5.0.39 y anteriores; versiones 6.0.x versión 6.0.24 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-01 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2019-18179
https://notcve.org/view.php?id=CVE-2019-18179
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. Se descubrió un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta la versión 7.0.12, y Community Edition versiones 5.0.x hasta 5.0.38 y 6.0.x hasta 6.0.23. Un atacante que ha iniciado sesión en OTRS como un agente es capaz de enumerar los tickets asignados a otros agentes, inclusive los tickets en una cola donde el atacante no tiene permisos. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2020/01/msg00000.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html •