Page 2 of 13 results (0.036 seconds)

CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0

OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. OTRS 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a atacantes remotos realizar ataques de clickjacking a través de un elemento IFRAME. • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html http://www.otrs.com/security-advisory-2014-05-clickjacking-issue • CWE-20: Improper Input Validation •

CVSS: 3.5EPSS: 0%CPEs: 54EXPL: 0

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través de vectores relacionados con campos dinámicos. • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html http://secunia.com/advisories/57616 https://www.otrs.com/security-advisory-2014-04-xss-issue • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 4%CPEs: 48EXPL: 2

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.20, 3.2.x anterior a 3.2.15 y 3.3.x anterior a 3.3.5 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un email HTML manipulado. OTRS versions 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/36842 http://adamziaja.com/poc/201401-xss-otrs.html http://lists.opensuse.org/opensuse-updates/2014-03/msg00030.html http://packetstormsecurity.com/files/131654/OTRS-3.x-Cross-Site-Scripting.html http://secunia.com/advisories/57018 http://www.osvdb.org/103781 http://www.securityfocus.com/bid/65844 https://www.otrs.com/security-advisory-2014-03-xss-issue • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 45EXPL: 3

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets. Múltiples vulnerabilidades de CSRF en (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm y (4) CustomerTicketZoom.pm en Kernel/Modules/ en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a atacantes remotos secuestrar la auntenticación de usuarios arbitrarios para solicitudes que (5) crean tickets o (6) envían seguimientos a tickets existentes. • http://bugs.otrs.org/show_bug.cgi?id=10099 http://osvdb.org/102632 http://secunia.com/advisories/56644 http://secunia.com/advisories/56655 http://www.debian.org/security/2014/dsa-2867 http://www.openwall.com/lists/oss-security/2014/01/29/15 http://www.openwall.com/lists/oss-security/2014/01/29/7 https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7 https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312 https://github.com/OTRS/otrs/ • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.5EPSS: 0%CPEs: 45EXPL: 0

SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. Vulnerabilidad de inyección SQL en la función StateGetStatesByType en Kernel/System/State.pm en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores relacionados con la URL de búsqueda de tickets. • http://osvdb.org/102661 http://secunia.com/advisories/56644 http://secunia.com/advisories/56655 http://www.debian.org/security/2014/dsa-2867 http://www.openwall.com/lists/oss-security/2014/01/29/15 http://www.securityfocus.com/bid/65241 https://github.com/OTRS/otrs/commit/0680603a07b8dc37c2ddca6ff14e0236babefc82 https://github.com/OTRS/otrs/commit/2997b36a7c84e933c4b025930cabe93efc4d261d https://github.com/OTRS/otrs/commit/c4ec9205bde9c49770ddad94c1a980c006164949 https://www.otrs.com/release-notes-otrs • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •