CVE-2018-11563
https://notcve.org/view.php?id=CVE-2018-11563
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application. Se detectó un problema en Open Ticket Request System (OTRS) versión 6.0.x hasta 6.0.7. Un correo electrónico cuidadosamente construido podría ser utilizado para inyectar y ejecutar hojas de estilo o código JavaScript en un navegador del cliente que haya iniciado sesión en el contexto de la aplicación del panel de cliente de OTRS. • https://community.otrs.com/security-advisory-2018-02-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html https://lists.otrs.org/pipermail/announce/2018/000720.html https://www.otrs.com/category/release-and-security-notes-en •
CVE-2019-12497
https://notcve.org/view.php?id=CVE-2019-12497
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes. Se descubrió un problema en Open Ticket Request System (OTRS) 7.0.x hasta 7.0.8, Community Edition 6.0.x hasta 6.0.19 y Community Edition 5.0.x hasta 5.0.36. En el cliente o en la interfaz externa, la información personal de los agentes (por ejemplo, Nombre y dirección de correo) se puede divulgar en notas externas. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://community.otrs.com/category/security-advisories-en https://lists.debian.org/debian-lts-announce/2019/06/msg00004.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-12248
https://notcve.org/view.php?id=CVE-2019-12248
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser to load external image resources. Se descubrió un problema en Open Ticket Request System (OTRS) 7.0.x hasta 7.0.7, Community Edition 6.0.x hasta 6.0.19 y Community Edition 5.0.x hasta 5.0.36. Un atacante podría enviar un correo electrónico malicioso a un sistema OTRS. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://lists.debian.org/debian-lts-announce/2019/06/msg00004.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://www.otrs.com/category/release-and-security-notes-en •
CVE-2019-10066
https://notcve.org/view.php?id=CVE-2019-10066
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS. Se encontró un problema en Open Ticket Request System (OTRS) versión 7.x hasta 7.0.6, Community Edition versión 6.0.x hasta 6.0.17 y OTRSAppointmentCalendar versión 5.0.x hasta 5.0.12. Un atacante logeado en OTRS como agente con los permisos apropiados puede crear una cita de calendario minuciosamente diseñada para provocar la ejecución de JavaScript en el contexto de OTRS. • https://community.otrs.com/security-advisory-2019-06-security-update-for-otrs-framework • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-9892
https://notcve.org/view.php?id=CVE-2019-9892
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem. Se encontró un problema en Open Ticket Request System (OTRS) en las versiones 5.x hasta 5.0.34, 6.x hasta 6.0.17, y 7.x hasta 7.0.6. Un atacante logeado en OTRS como un agente de usuario con los permisos apropiados puede intentar importar un Report Statistics XML creado minuciosamente que le dará como resultado la lectura de archivos arbitrarios en OTRS filesystem. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html • CWE-91: XML Injection (aka Blind XPath Injection) •