CVSS: 3.5EPSS: 0%CPEs: 91EXPL: 1CVE-2009-5055
https://notcve.org/view.php?id=CVE-2009-5055
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2. Open Ticket Request System (OTRS) anteriores a v2.4.4 permite el acceso a las subcadenas básicas de un dígito simple del valor CustomerID, que permite a usuarios remotos autenticados eludir las restricciones de acceso previsto en circunstancias oportunistas visualizando un ticket, como se demuestra mediante el aprovechamiento de la cuenta CustomerID 12 para leer tickets que deben estar disponibles sólo para los CustomerID 1 o 2. • http://bugs.otrs.org/show_bug.cgi?id=4105 http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 83EXPL: 1CVE-2009-5056
https://notcve.org/view.php?id=CVE-2009-5056
Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list. Open Ticket Request System (OTRS) anteriores a v2.4.0-beta2 no hace cumplir de forma correcta la configuración del permiso move_into para una cola, lo que permite a usuarios remotos autenticados eludir las restricciones de acceso previsto y leer un ticket viéndolo y seleccionándolo de la lista de tickets vistos. • http://bugs.otrs.org/show_bug.cgi?id=3583 http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 2%CPEs: 12EXPL: 0CVE-2010-3476
https://notcve.org/view.php?id=CVE-2010-3476
Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080. Open Ticket Request System (OTRS) v2.3.x anteriores a v2.3.6 y v2.4.x anteriores a v2.4.8 no controla correctamente la adecuación de las expresiones regulares de Perl contra los mensajes de correo electrónico HTML, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de un mensaje grande, es una vulnerabilidad distinta a CVE-2010-2080. • http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html http://otrs.org/advisory/OSA-2010-02-en http://secunia.com/advisories/41381 http://security-tracker.debian.org/tracker/CVE-2010-2080 http://www.securityfocus.com/bid/43264 https://exchange.xforce.ibmcloud.com/vulnerabilities/61869 • CWE-20: Improper Input Validation •
CVSS: 3.5EPSS: 0%CPEs: 12EXPL: 0CVE-2010-2080
https://notcve.org/view.php?id=CVE-2010-2080
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Open Ticket Request System (OTRS) v2.3.x anteriores a v2.3.6 y v2.4.x anteriores a v2.4.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no específicos. • http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html http://otrs.org/advisory/OSA-2010-02-en http://secunia.com/advisories/41381 http://security-tracker.debian.org/tracker/CVE-2010-2080 http://www.securityfocus.com/bid/43264 https://exchange.xforce.ibmcloud.com/vulnerabilities/61868 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0CVE-2010-0438
https://notcve.org/view.php?id=CVE-2010-0438
Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Múltiples vulnerabilidades de inyección SQL en Kernel/System/Ticket.pm en OTRS-Core en Open Ticket Request System (OTRS) v2.1.x anteriores a v2.1.9, v2.2.x anteriores a v2.2.9, v2.3.x anteriores a v2.3.5, y v2.4.x anteriores a v2.4.7 permite a usuarios autenticados ejecutar comandos SQL a través de vectores sin especificar. • http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html http://otrs.org/advisory/OSA-2010-01-en http://otrs.org/releases/2.4.7 http://secunia.com/advisories/38507 http://secunia.com/advisories/38544 http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log http://www.osvdb.org/62181 http://www.otrs.org/news/2010/otrs_2-4-7 http://www.securityfocus.com/bid/38146 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •