CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1774 – Information disclosure
https://notcve.org/view.php?id=CVE-2020-1774
28 Apr 2020 — When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. Cuando el usuario descarga claves y certificados de PGP o S/MIME, el archivo exportado presenta el mismo nombre para las claves privadas y públicas. • https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1773 – Session / Password / Password token leak
https://notcve.org/view.php?id=CVE-2020-1773
27 Mar 2020 — An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. Un atacante con la capacidad de generar ID de sesión o tokens de restablecimiento de contraseña, ya sea mediante la autenti... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-331: Insufficient Entropy •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1772 – Information Disclosure
https://notcve.org/view.php?id=CVE-2020-1772
27 Mar 2020 — It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Es posible diseñar peticiones de Contraseña Perdida con wildcards en el valor de Token, permite a un atacante recuperar Token(s) válidos, generados por usuarios que ya solicitaron nuevas co... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1771 – Possible XSS in Customer user address book
https://notcve.org/view.php?id=CVE-2020-1771
27 Mar 2020 — Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Un atacante es capaz de diseñar un artículo con un enlace hacia la libreta de direcciones del cliente con contenido malicioso (JavaScript). • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1770 – Information disclosure in support bundle files
https://notcve.org/view.php?id=CVE-2020-1770
27 Mar 2020 — Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Unos archivos generados por el paquete de soporte podrían contener información confidencial que podría sin querer ser revelada. Este problema afecta a: ((OTRS)) Community Edition: versiones 5.0.41 y anteriores, versiones 6.0.26 y anteriores. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-1769 – Autocomplete in the form login screens
https://notcve.org/view.php?id=CVE-2020-1769
27 Mar 2020 — In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. En las pantallas de inicio de sesión (en la interfaz del agente y cliente), los campos Username y Password usan autocompletar, lo que podría ser considerado un problema de seguridad. Este problema afecta a: ((OTRS)) Community Edi... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-16: Configuration •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2019-16375
https://notcve.org/view.php?id=CVE-2019-16375
19 Mar 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.11... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13457
https://notcve.org/view.php?id=CVE-2019-13457
10 Mar 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.8. Un usuario cliente puede usar los resultados de la búsqueda para divulgar información de sus tickets "company" (con el mismo CustomerID), inclusiv... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10065
https://notcve.org/view.php?id=CVE-2019-10065
10 Mar 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0 hasta la versión 7.0.6. Un atacante que está registrado en OTRS como un usuario cliente puede usar unas pantallas de resultados de búsqueda para divulgar información de lo... • https://community.otrs.com/category/release-and-security-notes-en •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1768 – External Interface does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1768
07 Feb 2020 — The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. El sistema frontend externo usa numerosas llamadas en segundo plano al backend. Cada petición en segundo plano es tratada como actividad del usuario, por lo que la SessionMaxIdleTime no será alcanzada. • https://otrs.com/release-notes/otrs-security-advisory-2020-04 • CWE-613: Insufficient Session Expiration •