CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13457
https://notcve.org/view.php?id=CVE-2019-13457
10 Mar 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableCompanyTicketAccess setting is turned on. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta 7.0.8. Un usuario cliente puede usar los resultados de la búsqueda para divulgar información de sus tickets "company" (con el mismo CustomerID), inclusiv... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10065
https://notcve.org/view.php?id=CVE-2019-10065
10 Mar 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0 through 7.0.6. An attacker who is logged into OTRS as a customer user can use the search result screens to disclose information from internal FAQ articles, a different vulnerability than CVE-2019-9753. Se detectó un problema en Open Ticket Request System (OTRS) versiones 7.0 hasta la versión 7.0.6. Un atacante que está registrado en OTRS como un usuario cliente puede usar unas pantallas de resultados de búsqueda para divulgar información de lo... • https://community.otrs.com/category/release-and-security-notes-en •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1768 – External Interface does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1768
07 Feb 2020 — The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. El sistema frontend externo usa numerosas llamadas en segundo plano al backend. Cada petición en segundo plano es tratada como actividad del usuario, por lo que la SessionMaxIdleTime no será alcanzada. • https://otrs.com/release-notes/otrs-security-advisory-2020-04 • CWE-613: Insufficient Session Expiration •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1767 – Possible to send drafted messages as wrong agent
https://notcve.org/view.php?id=CVE-2020-1767
10 Jan 2020 — Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. • https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1766 – Improper handling of uploaded inline images
https://notcve.org/view.php?id=CVE-2020-1766
10 Jan 2020 — Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Debido al manejo inapropiado de las imágenes cargadas, es posible, en condiciones muy extrañas y poco frecuentes, forzar... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 9EXPL: 0CVE-2020-1765 – Spoofing of From field in several screens
https://notcve.org/view.php?id=CVE-2020-1765
10 Jan 2020 — An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Un control inapropiado de los parámetros permite la suplantación de los campos de las siguientes pantallas: AgentTicketCompose, AgentTicketForward, Ag... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2019-18179
https://notcve.org/view.php?id=CVE-2019-18179
06 Jan 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. Se descubrió un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta la versión 7.0.12, y Community Edition versiones 5.0.x hasta 5.0.38 y 6.0.x hasta 6.0.23. Un atacante que ha ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2019-18180 – Denial of service
https://notcve.org/view.php?id=CVE-2019-18180
05 Dec 2019 — Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. Una Comprobación Inapropiada de nombres de archivo con extensiones sumamente largas en ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-13458
https://notcve.org/view.php?id=CVE-2019-13458
21 Aug 2019 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords. Se descubrió un problema en Open Ticket Request System (OTRS) 7.0.x hasta 7.0.8, y Community Edition 5.0.x hasta 5.0.36 y 6.0.x hasta 6.0.19. Un atacante que haya iniciado sesión en OTRS... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2019-12497
https://notcve.org/view.php?id=CVE-2019-12497
17 Jun 2019 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes. Se descubrió un problema en Open Ticket Request System (OTRS) 7.0.x hasta 7.0.8, Community Edition 6.0.x hasta 6.0.19 y Community Edition 5.0.x hasta 5.0.36. En el cliente o en la interfaz externa, la informació... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •