CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20800
https://notcve.org/view.php?id=CVE-2018-20800
An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13. Users updating to 6.0.13 (also patchlevel updates) or 5.0.31 (only major updates) will experience data loss in their agent preferences table. Se ha descubierto un problema en Open Ticket Request System (OTRS), en sus CVErsiones 5.0.31 y 6.0.13. Los usuarios que actualicen a la CVErsión 6.0.13 (también actualizaciones a niCVEl de parche) o 5.0.31 (solo actualizaciones principales) experimentarán una pérdida de datos en su tabla de preferencias de agente. • https://community.otrs.com/security-advisory-2018-10-security-update-for-otrs-framework • CWE-20: Improper Input Validation •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-19141
https://notcve.org/view.php?id=CVE-2018-19141
Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 allows an admin to conduct an XSS attack via a modified URL because user and customer preferences are mishandled. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.33 y 5.0.x anteriores a la 5.0.31 permite que un administrador realice un ataque Cross-Site Scripting (XSS) mediante una URL modificada porque las preferencias de usuario y cliente se gestionan de manera incorrecta. • https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2018/11/msg00028.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-19143
https://notcve.org/view.php?id=CVE-2018-19143
Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and 6.0.x before 6.0.13 allows an authenticated user to delete files via a modified submission form because upload caching is mishandled. Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.33, 5.0.x anteriores a la 5.0.31 y 6.0.x anteriores a la 6.0.13 permite que un usuario autenticado elimine los archivos a través de un formulario de envío modificado, ya que el almacenamiento en caché de la carga se maneja de forma incorrecta. • https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2018/11/msg00028.html • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19142
https://notcve.org/view.php?id=CVE-2018-19142
Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin to conduct an XSS attack via a modified URL. Open Ticket Request System (OTRS) en versiones 6.0.x anteriores a la 6.0.13 permite que un administrador realice un ataque Cross-Site Scripting (XSS) mediante una URL modificada. • https://community.otrs.com/security-advisory-2018-08-security-update-for-otrs-framework • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-16587
https://notcve.org/view.php?id=CVE-2018-16587
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to. En Open Ticket Request System (OTRS) en versiones 4.0.x anteriores a la 4.0.32, versiones 5.0.x anteriores a la 5.0.30 y versiones 6.0.x anteriores a la 6.0.11, un atacante podría enviar un email malicioso a un sistema OTRS. Si un usuario con permisos de administrador lo abre, provoca eliminaciones de archivos arbitrarios a los que el servidor web OTRS tiene acceso de escritura. • https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01 https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843 https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711 https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html https://www.debian.org/security/2018/dsa-4317 • CWE-20: Improper Input Validation •