Page 3 of 33 results (0.007 seconds)

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32. • https://otrs.com/release-notes/otrs-security-advisory-2023-03 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •

CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0

Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. • https://otrs.com/release-notes/otrs-security-advisory-2023-02 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Vulnerabilidad de validación de entrada incorrecta en OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition permite la inyección de SQL a través de TicketSearch Webservice. Este problema afecta a OTRS: desde 7.0.1 antes de 7.0.40 parche 1, desde 8.0.1 antes de 8.0.28 parche 1 ; ((OTRS)) Community Edition: desde 6.0.1 hasta 6.0.34. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://otrs.com/release-notes/otrs-security-advisory-2022-15 • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Article template contents with sensitive data could be accessed from agents without permissions. Se podía acceder al contenido de las plantillas de artículos con datos confidenciales desde agentes sin permisos • https://otrs.com/release-notes/otrs-security-advisory-2022-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system Un atacante externo es capaz de enviar un correo electrónico especialmente diseñado (con muchos destinatarios) y desencadenar un potencial DoS del sistema • https://otrs.com/release-notes/otrs-security-advisory-2022-13 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •