CVSS: 6.0EPSS: 0%CPEs: 31EXPL: 0CVE-2014-9324
https://notcve.org/view.php?id=CVE-2014-9324
The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. GenericInterface en OTRS Help Desk 3.2.x anterior a 3.2.17, 3.3.x anterior a 3.3.11 y 4.0.x anterior a 4.0.3 permiten a usuarios remotos autenticados acceder y modificar tickets arbitrarios a través de vectores sin especificar. • http://advisories.mageia.org/MGASA-2015-0031.html http://secunia.com/advisories/59875 http://secunia.com/advisories/62188 http://secunia.com/advisories/62662 http://www.mandriva.com/security/advisories?name=MDVSA-2015:043 https://www.otrs.com/security-advisory-2014-06-incomplete-access-control • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2554
https://notcve.org/view.php?id=CVE-2014-2554
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. OTRS 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a atacantes remotos realizar ataques de clickjacking a través de un elemento IFRAME. • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html http://www.otrs.com/security-advisory-2014-05-clickjacking-issue • CWE-20: Improper Input Validation •
CVSS: 3.5EPSS: 0%CPEs: 54EXPL: 0CVE-2014-2553
https://notcve.org/view.php?id=CVE-2014-2553
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través de vectores relacionados con campos dinámicos. • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html http://secunia.com/advisories/57616 https://www.otrs.com/security-advisory-2014-04-xss-issue • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 4%CPEs: 48EXPL: 2CVE-2014-1695 – OTRS < 3.1.x / < 3.2.x / < 3.3.x - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1695
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.20, 3.2.x anterior a 3.2.15 y 3.3.x anterior a 3.3.5 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un email HTML manipulado. OTRS versions 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/36842 http://adamziaja.com/poc/201401-xss-otrs.html http://lists.opensuse.org/opensuse-updates/2014-03/msg00030.html http://packetstormsecurity.com/files/131654/OTRS-3.x-Cross-Site-Scripting.html http://secunia.com/advisories/57018 http://www.osvdb.org/103781 http://www.securityfocus.com/bid/65844 https://www.otrs.com/security-advisory-2014-03-xss-issue • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 45EXPL: 0CVE-2014-1471
https://notcve.org/view.php?id=CVE-2014-1471
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. Vulnerabilidad de inyección SQL en la función StateGetStatesByType en Kernel/System/State.pm en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores relacionados con la URL de búsqueda de tickets. • http://osvdb.org/102661 http://secunia.com/advisories/56644 http://secunia.com/advisories/56655 http://www.debian.org/security/2014/dsa-2867 http://www.openwall.com/lists/oss-security/2014/01/29/15 http://www.securityfocus.com/bid/65241 https://github.com/OTRS/otrs/commit/0680603a07b8dc37c2ddca6ff14e0236babefc82 https://github.com/OTRS/otrs/commit/2997b36a7c84e933c4b025930cabe93efc4d261d https://github.com/OTRS/otrs/commit/c4ec9205bde9c49770ddad94c1a980c006164949 https://www.otrs.com/release-notes-otrs • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •