CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32741 – Information disclosure in Request New Password feature
https://notcve.org/view.php?id=CVE-2022-32741
13 Jun 2022 — Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time. El atacante es capaz de determinar si el nombre de usuario proporcionado se presenta (y es válido) usando la funcionalidad Request New Password, basándose en el tiempo de respuesta • https://otrs.com/release-notes/otrs-security-advisory-2022-09 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-32740 – Information disclosure in the External Interface
https://notcve.org/view.php?id=CVE-2022-32740
13 Jun 2022 — A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances. Una respuesta a un artículo de correo electrónico reenviado por un tercero podría exponer involuntariamente el contenido del correo electrónico al cliente del ticket bajo determinadas circunstancias • https://otrs.com/release-notes/otrs-security-advisory-2022-08 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32739 – OTRS version number is always in the exported ICS files
https://notcve.org/view.php?id=CVE-2022-32739
13 Jun 2022 — When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number. Cuando ha sido deshabilitada la configuración del sistema Secure::DisableBanner y el agente comparte su calendario por medio de una URL pública, el archivo ICS recibido contiene el número de versión de OTRS • https://otrs.com/release-notes/otrs-security-advisory-2022-07 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-1004 – Information disclosure in the External Interface
https://notcve.org/view.php?id=CVE-2022-1004
21 Mar 2022 — Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled. La hora contabilizada es mostrada en la Visualización Detallada del Ticket (Interfaz Externa), incluso si ExternalFrontend::TicketDetailView###AccountedTimeDisplay está deshabilitado • https://otrs.com/release-notes/otrs-security-advisory-2022-06 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-0475 – Possible XSS attack via translation
https://notcve.org/view.php?id=CVE-2022-0475
21 Mar 2022 — Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions. Un traductor malicioso es capaz de inyectar código JavaScript en algunas cadenas traducibles (donde se permite el HTML). El código podría ejecutarse en el administrador de paquetes. • https://otrs.com/release-notes/otrs-security-advisory-2022-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
21 Mar 2022 — Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0473 – Dynamic field error message is vulnerable to XSS
https://notcve.org/view.php?id=CVE-2022-0473
07 Feb 2022 — OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions. Los administradores de OTRS pueden configurar el campo dinámico e inyectar código JavaScript malicioso en el mensaje de error de la comprobación de la expresión regular. Cuando es usado en la interfaz del agente, el... • https://otrs.com/release-notes/otrs-security-advisory-2022-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36097 – Agents are able to lock the ticket without the "Owner" permission
https://notcve.org/view.php?id=CVE-2021-36097
18 Oct 2021 — Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions. Unos agentes pueden bloquear el ticket sin el permiso de "Owner". Una vez bloqueado el ticket, puede ser movido a la cola donde el agente tiene permisos "rw" y conseguir un control total. • https://otrs.com/release-notes/otrs-security-advisory-2021-20 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36092 – XSS attack using special link in email
https://notcve.org/view.php?id=CVE-2021-36092
26 Jul 2021 — It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. Es posible crear un correo electrónico que contenga un enlace especialmente diseñado y que pueda ser usado para llevar a cabo un ataque de tipo XSS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition:... • https://otrs.com/release-notes/otrs-security-advisory-2021-15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36091 – Unautorized access to the calendar appointments
https://notcve.org/view.php?id=CVE-2021-36091
26 Jul 2021 — Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. Unos agentes pueden listar citas en los calendarios sin los permisos necesarios. Este problema afecta a: OTRS AG ((OTRS)) Community Edition: versión 6.0.x versión 6.0.1 y versiones posteriores. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •