CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21438 – FAQ articles are shown to users without permission
https://notcve.org/view.php?id=CVE-2021-21438
22 Mar 2021 — Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions. Los agentes pueden ser capaces de visualizar artículos de FAQ vinculados sin permisos (definidos en la categoría FAQ). Este problema afecta a: FAQ versión 6.0.29 y anteriores, OTRS versión 7.0.24 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2021-08 • CWE-264: Permissions, Privileges, and Access Controls CWE-276: Incorrect Default Permissions •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21437 – Config Items are shown to users without permission
https://notcve.org/view.php?id=CVE-2021-21437
22 Mar 2021 — Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions Los agentes pueden ser capaces de visualizar Elementos de Configuración vinculados sin permisos, que son definidos en el Catálogo General. Este problema afecta a: OTRSCIsInCustomerFrontend versiones 7.0.15 y anteriores, ITSMConfigurationManagement versiones 7.0.24 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2021-07 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21436 – Agent is able to link customer's Config Items without permission
https://notcve.org/view.php?id=CVE-2021-21436
08 Feb 2021 — Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions. Unos agentes son capaces de visualizar y vincular elementos de configuración sin permisos, que son definidos en el catálogo general. Este problema afecta a: OTRSCIsInCustomerFrontend de OTRS AG versiones 7.0.x versión 7.0.14 y versiones anteriores • https://otrs.com/release-notes/otrs-security-advisory-2021-04 • CWE-264: Permissions, Privileges, and Access Controls CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-21435 – Information exposure in PDF export
https://notcve.org/view.php?id=CVE-2021-21435
08 Feb 2021 — Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions. Los campos del Article Bcc y la información personal del agente son mostradas cuando el cliente imprime el ticket (PDF) por medio de una interfaz externa. Este problema afecta a: OTRS AG OTRS versiones 7.0.x versión 7.0.23 y versiones anteriores; versiones 8.0.x ve... • https://otrs.com/release-notes/otrs-security-advisory-2021-02 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21434 – XSS in Survey Module
https://notcve.org/view.php?id=CVE-2021-21434
08 Feb 2021 — Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions. El administrador de la encuesta puede diseñar una encuesta tal que pueda ser ejecutado un código malicioso en la interfaz del agente (es decir, otro agente que quiera hacer cambios en la encuesta). Este problema afecta: OT... • https://otrs.com/release-notes/otrs-security-advisory-2021-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1779 – Dynamic templates reveal sensitive data when OTRS tags are used
https://notcve.org/view.php?id=CVE-2020-1779
08 Feb 2021 — When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. This issue affects: OTRS AG OTRSTicketForms 6.0.x version 6.0.40 and prior versions; 7.0.x version 7.0.29 and prior versions; 8.0.x version 8.0.3 and prior versions. Cuando son usadas plantillas dinámicas (OTRSTicketForms), el administrador puede usar etiquetas OTRS que no están enmascaradas apropiadamente y pueden revelar información confidencial. Este problema afec... • https://otrs.com/release-notes/otrs-security-advisory-2020-17 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
23 Nov 2020 — When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1777 – Agent names disclosed in chat feature
https://notcve.org/view.php?id=CVE-2020-1777
15 Oct 2020 — Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. This issue affects OTRS; 7.0.21 and prior versions, 8.0.6 and prior versions. Los nombres de los agentes que participan en una conversación de chat se revelan en determinadas partes de la interfaz externa, así como en las transcripciones de chat dentro de los tickets, cuando el sistema está confi... • https://otrs.com/release-notes/otrs-security-advisory-2020-15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
20 Jul 2020 — When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-613: Insufficient Session Expiration •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1775 – Information disclosure in external interface
https://notcve.org/view.php?id=CVE-2020-1775
08 Jun 2020 — BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions. Los destinatarios de BCC en los correos enviados desde OTRS son visibles en los detalles del artículo en la interfaz externa. Este problema afecta a OTRS: versiones 8.0.3 y anteriores, versiones 7.0.17 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-12 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •