CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2020-1772 – Information Disclosure
https://notcve.org/view.php?id=CVE-2020-1772
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Es posible diseñar peticiones de Contraseña Perdida con wildcards en el valor de Token, permite a un atacante recuperar Token(s) válidos, generados por usuarios que ya solicitaron nuevas contraseñas. Este problema afecta a: ((OTRS)) Community Edition versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-09 • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1771 – Possible XSS in Customer user address book
https://notcve.org/view.php?id=CVE-2020-1771
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Un atacante es capaz de diseñar un artículo con un enlace hacia la libreta de direcciones del cliente con contenido malicioso (JavaScript). • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-08 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1770 – Information disclosure in support bundle files
https://notcve.org/view.php?id=CVE-2020-1770
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Unos archivos generados por el paquete de soporte podrían contener información confidencial que podría sin querer ser revelada. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-07 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1769 – Autocomplete in the form login screens
https://notcve.org/view.php?id=CVE-2020-1769
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. En las pantallas de inicio de sesión (en la interfaz del agente y cliente), los campos Username y Password usan autocompletar, lo que podría ser considerado un problema de seguridad. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2020-06 • CWE-16: Configuration •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2019-16375
https://notcve.org/view.php?id=CVE-2019-16375
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.11, y Community Edition versiones 5.0.x hasta 5.0.37 y versiones 6.0.x hasta 6.0.22. Un atacante que haya iniciado sesión como un usuario agente o cliente con los permisos apropiados puede crear una cadena cuidadosamente diseñada que contenga código JavaScript malicioso como cuerpo del artículo. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://community.otrs.com/category/security-advisories-en https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2019-13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •