Page 7 of 35 results (0.005 seconds)

CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0

The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks." La interfaz SOAP en OTRS versión 2.1.x anterior a 2.1.8 y versión 2.2.x anterior a 2.2.6, permite a los atacantes remotos “read and modify objects" por medio de peticiones SOAP, relacionadas con "Missing security checks" • http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html http://otrs.org/advisory/OSA-2008-01-en http://secunia.com/advisories/29585 http://secunia.com/advisories/29622 http://secunia.com/advisories/29859 http://www.securityfocus.com/bid/28647 https://exchange.xforce.ibmcloud.com/vulnerabilities/41577 https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00284.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 3

Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo index.pl en Open Ticket Request System (OTRS) versión 2.0.x, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro Subaction en una acción AgentTicketMailbox. NOTA: DEBIAN: DSA-1299 originalmente usó este identificador para un problema de ipsec-tools, pero el identificador adecuado para el problema de ipsec-tools es CVE-2007-1841. • https://www.exploit-db.com/exploits/29962 http://osvdb.org/35821 http://osvdb.org/35822 http://secunia.com/advisories/25205 http://secunia.com/advisories/25419 http://secunia.com/advisories/25787 http://securityreason.com/securityalert/2668 http://www.debian.org/security/2007/dsa-1298 http://www.novell.com/linux/security/advisories/2007_13_sr.html http://www.securityfocus.com/archive/1/467870/100/0/threaded http://www.securityfocus.com/archive/1/471192/100/0/thre • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 3

Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2) Action parameters. • https://www.exploit-db.com/exploits/26552 http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://marc.info/?l=bugtraq&m=113272360804853&w=2 http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://otrs.org/advisory/OSA-2005-01-en http://secunia.com/advisories/17685 http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 http://securitytracker.com/id?1015262 http://www.debian.org/security/2006/dsa-973 http://www. •

CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 4

Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action. • https://www.exploit-db.com/exploits/26551 https://www.exploit-db.com/exploits/26550 http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://marc.info/?l=bugtraq&m=113272360804853&w=2 http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://otrs.org/advisory/OSA-2005-01-en http://secunia.com/advisories/17685 http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 http://securitytracker.com/id?1015262 http://www.debian •

CVSS: 5.8EPSS: 0%CPEs: 6EXPL: 0

Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML. NOTE: this particular issue is referred to as XSS by some sources. • http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://marc.info/?l=bugtraq&m=113272360804853&w=2 http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://otrs.org/advisory/OSA-2005-01-en http://secunia.com/advisories/17685 http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 http://securityreason.com/securityalert/200 http://www.debian.org/security/2006/dsa-973 http://www.novell.com/linux/security/advisories/2005_30&# •