CVE-2007-2524 – OTRS 2.0.4 - index.pl Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-2524
Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo index.pl en Open Ticket Request System (OTRS) versión 2.0.x, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro Subaction en una acción AgentTicketMailbox. NOTA: DEBIAN: DSA-1299 originalmente usó este identificador para un problema de ipsec-tools, pero el identificador adecuado para el problema de ipsec-tools es CVE-2007-1841. • https://www.exploit-db.com/exploits/29962 http://osvdb.org/35821 http://osvdb.org/35822 http://secunia.com/advisories/25205 http://secunia.com/advisories/25419 http://secunia.com/advisories/25787 http://securityreason.com/securityalert/2668 http://www.debian.org/security/2007/dsa-1298 http://www.novell.com/linux/security/advisories/2007_13_sr.html http://www.securityfocus.com/archive/1/467870/100/0/threaded http://www.securityfocus.com/archive/1/471192/100/0/thre • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2005-3894 – OTRS 2.0 - 'index.pl' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2005-3894
Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2) Action parameters. • https://www.exploit-db.com/exploits/26552 http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://marc.info/?l=bugtraq&m=113272360804853&w=2 http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://otrs.org/advisory/OSA-2005-01-en http://secunia.com/advisories/17685 http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 http://securitytracker.com/id?1015262 http://www.debian.org/security/2006/dsa-973 http://www. •
CVE-2005-3893 – OTRS 2.0 - AgentTicketPlain Action Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2005-3893
Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action. • https://www.exploit-db.com/exploits/26551 https://www.exploit-db.com/exploits/26550 http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://marc.info/?l=bugtraq&m=113272360804853&w=2 http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://otrs.org/advisory/OSA-2005-01-en http://secunia.com/advisories/17685 http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 http://securitytracker.com/id?1015262 http://www.debian •
CVE-2005-3895
https://notcve.org/view.php?id=CVE-2005-3895
Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML. NOTE: this particular issue is referred to as XSS by some sources. • http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://marc.info/?l=bugtraq&m=113272360804853&w=2 http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://otrs.org/advisory/OSA-2005-01-en http://secunia.com/advisories/17685 http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 http://securityreason.com/securityalert/200 http://www.debian.org/security/2006/dsa-973 http://www.novell.com/linux/security/advisories/2005_30 •