CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36094 – XSS attack in appointment edit popup screen
https://notcve.org/view.php?id=CVE-2021-36094
06 Sep 2021 — It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. Es posible diseñar una petición para la pantalla de edición de citas, lo que podría conllevar a un ataque de tipo XSS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x, versión 6.0.1 y versiones posteriores. • https://otrs.com/release-notes/otrs-security-advisory-2021-17 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36093 – DoS attack using PostMaster filters
https://notcve.org/view.php?id=CVE-2021-36093
06 Sep 2021 — It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. Es posible crear un correo electrónico que puede atascarse mientras es procesado por los filtros PostMaster, causando DoS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x, versión 6.0.1 y... • https://otrs.com/release-notes/otrs-security-advisory-2021-16 • CWE-185: Incorrect Regular Expression •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4718
https://notcve.org/view.php?id=CVE-2013-4718
09 Aug 2021 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search. Una vulnerabilidad de tipo Cross-site scripting (XSS) en Open Ticket Request System (OTRS) ITSM versiones 3.0.x anteriores a 3.0.9, versiones 3.1.x anteriores a 3.1.10 y versiones 3.2.x anteriores a 3.2.7, permite a usuarios autenticados remotos inyectar script... • https://web.archive.org/web/20130817120539/http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2013-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36092 – XSS attack using special link in email
https://notcve.org/view.php?id=CVE-2021-36092
26 Jul 2021 — It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. Es posible crear un correo electrónico que contenga un enlace especialmente diseñado y que pueda ser usado para llevar a cabo un ataque de tipo XSS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition:... • https://otrs.com/release-notes/otrs-security-advisory-2021-15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36091 – Unautorized access to the calendar appointments
https://notcve.org/view.php?id=CVE-2021-36091
26 Jul 2021 — Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. Unos agentes pueden listar citas en los calendarios sin los permisos necesarios. Este problema afecta a: OTRS AG ((OTRS)) Community Edition: versión 6.0.x versión 6.0.1 y versiones posteriores. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21443 – Unautorized listing of the customer user emails
https://notcve.org/view.php?id=CVE-2021-21443
26 Jul 2021 — Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. Unos agentes pueden enumerar los correos electrónicos de los usuarios de los clientes sin los permisos requeridos en la pantalla de acciones masivas. Este problema afecta a: OTRS AG ((OTRS)) Community Edition: versión 6.0.x versión 6.0.1 y versiones posteriores. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21442 – XSS vulnerability in Time Accounting
https://notcve.org/view.php?id=CVE-2021-21442
26 Jul 2021 — In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19. En la pantalla de creación del proyecto es posible inyectar código JS malicioso en determinados campos. El código puede ser ejecutado en la pantalla de Informes. • https://otrs.com/release-notes/otrs-security-advisory-2021-12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21440 – Support Bundle includes S/Mime and PGP keys
https://notcve.org/view.php?id=CVE-2021-21440
26 Jul 2021 — Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. Unos Paquetes de Soporte Generados contienen claves privadas S/MIME y PGP si la carpeta que los contiene no está oculta. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x versión 6.0.1 y versiones pos... • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21441 – XSS in the ticket overview screens
https://notcve.org/view.php?id=CVE-2021-21441
16 Jun 2021 — There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21439 – Possible DoS attack using a special crafted URL in email body
https://notcve.org/view.php?id=CVE-2021-21439
14 Jun 2021 — DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions. El ataque de DoS puede ser llevado a cabo cuando un correo electrónico contiene una URL especialmente diseñada en el cue... • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-755: Improper Handling of Exceptional Conditions •