CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1772 – Information Disclosure
https://notcve.org/view.php?id=CVE-2020-1772
27 Mar 2020 — It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Es posible diseñar peticiones de Contraseña Perdida con wildcards en el valor de Token, permite a un atacante recuperar Token(s) válidos, generados por usuarios que ya solicitaron nuevas co... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1771 – Possible XSS in Customer user address book
https://notcve.org/view.php?id=CVE-2020-1771
27 Mar 2020 — Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Un atacante es capaz de diseñar un artículo con un enlace hacia la libreta de direcciones del cliente con contenido malicioso (JavaScript). • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1770 – Information disclosure in support bundle files
https://notcve.org/view.php?id=CVE-2020-1770
27 Mar 2020 — Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Unos archivos generados por el paquete de soporte podrían contener información confidencial que podría sin querer ser revelada. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1769 – Autocomplete in the form login screens
https://notcve.org/view.php?id=CVE-2020-1769
27 Mar 2020 — In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. En las pantallas de inicio de sesión (en la interfaz del agente y cliente), los campos Username y Password usan autocompletar, lo que podría ser considerado un problema de seguridad. Este problema afecta a: ((OTRS)) Community Edi... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-16: Configuration •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2019-16375
https://notcve.org/view.php?id=CVE-2019-16375
19 Mar 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.11... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1767 – Possible to send drafted messages as wrong agent
https://notcve.org/view.php?id=CVE-2020-1767
10 Jan 2020 — Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. • https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1766 – Improper handling of uploaded inline images
https://notcve.org/view.php?id=CVE-2020-1766
10 Jan 2020 — Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Debido al manejo inapropiado de las imágenes cargadas, es posible, en condiciones muy extrañas y poco frecuentes, forzar... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1765 – Spoofing of From field in several screens
https://notcve.org/view.php?id=CVE-2020-1765
10 Jan 2020 — An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Un control inapropiado de los parámetros permite la suplantación de los campos de las siguientes pantallas: AgentTicketCompose, AgentTicketForward, Ag... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2019-18179
https://notcve.org/view.php?id=CVE-2019-18179
06 Jan 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. Se descubrió un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta la versión 7.0.12, y Community Edition versiones 5.0.x hasta 5.0.38 y 6.0.x hasta 6.0.23. Un atacante que ha ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2019-18180 – Denial of service
https://notcve.org/view.php?id=CVE-2019-18180
05 Dec 2019 — Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. Una Comprobación Inapropiada de nombres de archivo con extensiones sumamente largas en ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •