CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36091 – Unautorized access to the calendar appointments
https://notcve.org/view.php?id=CVE-2021-36091
26 Jul 2021 — Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. Unos agentes pueden listar citas en los calendarios sin los permisos necesarios. Este problema afecta a: OTRS AG ((OTRS)) Community Edition: versión 6.0.x versión 6.0.1 y versiones posteriores. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21443 – Unautorized listing of the customer user emails
https://notcve.org/view.php?id=CVE-2021-21443
26 Jul 2021 — Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. Unos agentes pueden enumerar los correos electrónicos de los usuarios de los clientes sin los permisos requeridos en la pantalla de acciones masivas. Este problema afecta a: OTRS AG ((OTRS)) Community Edition: versión 6.0.x versión 6.0.1 y versiones posteriores. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21440 – Support Bundle includes S/Mime and PGP keys
https://notcve.org/view.php?id=CVE-2021-21440
26 Jul 2021 — Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. Unos Paquetes de Soporte Generados contienen claves privadas S/MIME y PGP si la carpeta que los contiene no está oculta. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x versión 6.0.1 y versiones pos... • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21441 – XSS in the ticket overview screens
https://notcve.org/view.php?id=CVE-2021-21441
16 Jun 2021 — There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21439 – Possible DoS attack using a special crafted URL in email body
https://notcve.org/view.php?id=CVE-2021-21439
14 Jun 2021 — DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions. El ataque de DoS puede ser llevado a cabo cuando un correo electrónico contiene una URL especialmente diseñada en el cue... • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21435 – Information exposure in PDF export
https://notcve.org/view.php?id=CVE-2021-21435
08 Feb 2021 — Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions. Los campos del Article Bcc y la información personal del agente son mostradas cuando el cliente imprime el ticket (PDF) por medio de una interfaz externa. Este problema afecta a: OTRS AG OTRS versiones 7.0.x versión 7.0.23 y versiones anteriores; versiones 8.0.x ve... • https://otrs.com/release-notes/otrs-security-advisory-2021-02 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
23 Nov 2020 — When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
20 Jul 2020 — When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-613: Insufficient Session Expiration •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1774 – Information disclosure
https://notcve.org/view.php?id=CVE-2020-1774
28 Apr 2020 — When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. Cuando el usuario descarga claves y certificados de PGP o S/MIME, el archivo exportado presenta el mismo nombre para las claves privadas y públicas. • https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1773 – Session / Password / Password token leak
https://notcve.org/view.php?id=CVE-2020-1773
27 Mar 2020 — An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. Un atacante con la capacidad de generar ID de sesión o tokens de restablecimiento de contraseña, ya sea mediante la autenti... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-331: Insufficient Entropy •