CVE-2009-5056
https://notcve.org/view.php?id=CVE-2009-5056
Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list. Open Ticket Request System (OTRS) anteriores a v2.4.0-beta2 no hace cumplir de forma correcta la configuración del permiso move_into para una cola, lo que permite a usuarios remotos autenticados eludir las restricciones de acceso previsto y leer un ticket viéndolo y seleccionándolo de la lista de tickets vistos. • http://bugs.otrs.org/show_bug.cgi?id=3583 http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807 • CWE-20: Improper Input Validation •
CVE-2008-7275
https://notcve.org/view.php?id=CVE-2008-7275
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) AgentTicketMailbox or (2) CustomerTicketOverView. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Open Ticket Request System (OTRS) anteriores a v2.3.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con (1) AgentTicketMailbox or (2) CustomerTicketOverView. • http://bugs.otrs.org/show_bug.cgi?id=3287 http://source.otrs.org/viewvc.cgi/otrs/CHANGES?revision=1.1807 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-0456
https://notcve.org/view.php?id=CVE-2011-0456
webscript.pl in Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability." Se presenta una vulnerabilidad en el archivo webscript.pl en Open Ticket Request System (OTRS) versión 2.3.4 y anteriores, permite a los atacantes remotos ejecutar comandos arbitrarios por medio de vectores no especificados, relacionados a una "command injection vulnerability." • http://jvn.jp/en/jp/JVN73162541/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2011-000019 http://secunia.com/advisories/43960 https://hermes.opensuse.org/messages/7797670 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2010-0438
https://notcve.org/view.php?id=CVE-2010-0438
Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Múltiples vulnerabilidades de inyección SQL en Kernel/System/Ticket.pm en OTRS-Core en Open Ticket Request System (OTRS) v2.1.x anteriores a v2.1.9, v2.2.x anteriores a v2.2.9, v2.3.x anteriores a v2.3.5, y v2.4.x anteriores a v2.4.7 permite a usuarios autenticados ejecutar comandos SQL a través de vectores sin especificar. • http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html http://otrs.org/advisory/OSA-2010-01-en http://otrs.org/releases/2.4.7 http://secunia.com/advisories/38507 http://secunia.com/advisories/38544 http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log http://www.osvdb.org/62181 http://www.otrs.org/news/2010/otrs_2-4-7 http://www.securityfocus.com/bid/38146 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •