CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2534 – Information disclouse and DoS via websocket push events
https://notcve.org/view.php?id=CVE-2023-2534
08 May 2023 — Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of ... • https://otrs.com/release-notes/otrs-security-advisory-2023-03 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-1250 – Code execution through ACL creation
https://notcve.org/view.php?id=CVE-2023-1250
20 Mar 2023 — Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (A... • https://otrs.com/release-notes/otrs-security-advisory-2023-02 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-4427 – SQL Injection via OTRS Search API
https://notcve.org/view.php?id=CVE-2022-4427
19 Dec 2022 — Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Vulnerabilidad de validación de entrada incorrecta en OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition permite la inyección de SQL a través de TicketSearch Webservice. Este problema afecta a OTRS: desde 7.0.1 antes de 7.0.4... • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3501 – Information exposure of template content due to missing check of permissions
https://notcve.org/view.php?id=CVE-2022-3501
17 Oct 2022 — Article template contents with sensitive data could be accessed from agents without permissions. Se podía acceder al contenido de las plantillas de artículos con datos confidenciales desde agentes sin permisos • https://otrs.com/release-notes/otrs-security-advisory-2022-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-39052 – DoS attack using email
https://notcve.org/view.php?id=CVE-2022-39052
17 Oct 2022 — An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system Un atacante externo es capaz de enviar un correo electrónico especialmente diseñado (con muchos destinatarios) y desencadenar un potencial DoS del sistema • https://otrs.com/release-notes/otrs-security-advisory-2022-13 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-39051 – Perl Code execution in Template Toolkit
https://notcve.org/view.php?id=CVE-2022-39051
05 Sep 2022 — Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package El atacante podría ser capaz de ejecutar código Perl malicioso en el kit de herramientas Template, haciendo que el administrador instale un paquete de 3ª parte no verificado • https://otrs.com/release-notes/otrs-security-advisory-2022-12 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-39050 – Possible XSS stored in customer information
https://notcve.org/view.php?id=CVE-2022-39050
05 Sep 2022 — An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap Un atacante que haya iniciado sesión en OTRS como usuario administrador puede manipular el campo de la URL del cliente para almacenar código JavaScript que será ejecutado posteriorm... • https://otrs.com/release-notes/otrs-security-advisory-2022-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 1%CPEs: 3EXPL: 0CVE-2022-39049 – Possible XSS in Admin Interface
https://notcve.org/view.php?id=CVE-2022-39049
05 Sep 2022 — An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. Un atacante que haya iniciado sesión en OTRS como usuario administrador puede manipular la URL para causar una ejecución de JavaScript en el contexto de OTRS • https://otrs.com/release-notes/otrs-security-advisory-2022-10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32741 – Information disclosure in Request New Password feature
https://notcve.org/view.php?id=CVE-2022-32741
13 Jun 2022 — Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time. El atacante es capaz de determinar si el nombre de usuario proporcionado se presenta (y es válido) usando la funcionalidad Request New Password, basándose en el tiempo de respuesta • https://otrs.com/release-notes/otrs-security-advisory-2022-09 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32740 – Information disclosure in the External Interface
https://notcve.org/view.php?id=CVE-2022-32740
13 Jun 2022 — A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances. Una respuesta a un artículo de correo electrónico reenviado por un tercero podría exponer involuntariamente el contenido del correo electrónico al cliente del ticket bajo determinadas circunstancias • https://otrs.com/release-notes/otrs-security-advisory-2022-08 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •