CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36097 – Agents are able to lock the ticket without the "Owner" permission
https://notcve.org/view.php?id=CVE-2021-36097
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions. Unos agentes pueden bloquear el ticket sin el permiso de "Owner". Una vez bloqueado el ticket, puede ser movido a la cola donde el agente tiene permisos "rw" y conseguir un control total. • https://otrs.com/release-notes/otrs-security-advisory-2021-20 • CWE-266: Incorrect Privilege Assignment •
CVSS: 5.2EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36096 – Support Bundle includes S/Mime and PGP secret or PIN
https://notcve.org/view.php?id=CVE-2021-36096
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. Unos Paquetes de Soporte Generados contienen claves privadas S/MIME y PGP si la carpeta que los contiene no está oculta. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x, versión 6.0.1 y versiones posteriores. • https://otrs.com/release-notes/otrs-security-advisory-2021-10 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36095 – User enumeration issue using "lost password" feature
https://notcve.org/view.php?id=CVE-2021-36095
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. Un atacante malicioso es capaz de averiguar los inicios de sesión válidos de usuarios al usar la funcionalidad "lost password". Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.1 y versiones posteriores. • https://otrs.com/release-notes/otrs-security-advisory-2021-18 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36094 – XSS attack in appointment edit popup screen
https://notcve.org/view.php?id=CVE-2021-36094
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. Es posible diseñar una petición para la pantalla de edición de citas, lo que podría conllevar a un ataque de tipo XSS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x, versión 6.0.1 y versiones posteriores. • https://otrs.com/release-notes/otrs-security-advisory-2021-17 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36093 – DoS attack using PostMaster filters
https://notcve.org/view.php?id=CVE-2021-36093
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. Es posible crear un correo electrónico que puede atascarse mientras es procesado por los filtros PostMaster, causando DoS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versión 6.0.x, versión 6.0.1 y versiones posteriores. • https://otrs.com/release-notes/otrs-security-advisory-2021-16 • CWE-185: Incorrect Regular Expression •