CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1768 – External Interface does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1768
07 Feb 2020 — The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. El sistema frontend externo usa numerosas llamadas en segundo plano al backend. Cada petición en segundo plano es tratada como actividad del usuario, por lo que la SessionMaxIdleTime no será alcanzada. • https://otrs.com/release-notes/otrs-security-advisory-2020-04 • CWE-613: Insufficient Session Expiration •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1767 – Possible to send drafted messages as wrong agent
https://notcve.org/view.php?id=CVE-2020-1767
10 Jan 2020 — Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. • https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1766 – Improper handling of uploaded inline images
https://notcve.org/view.php?id=CVE-2020-1766
10 Jan 2020 — Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Debido al manejo inapropiado de las imágenes cargadas, es posible, en condiciones muy extrañas y poco frecuentes, forzar... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 9EXPL: 0CVE-2020-1765 – Spoofing of From field in several screens
https://notcve.org/view.php?id=CVE-2020-1765
10 Jan 2020 — An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Un control inapropiado de los parámetros permite la suplantación de los campos de las siguientes pantallas: AgentTicketCompose, AgentTicketForward, Ag... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2019-18179
https://notcve.org/view.php?id=CVE-2019-18179
06 Jan 2020 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. Se descubrió un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta la versión 7.0.12, y Community Edition versiones 5.0.x hasta 5.0.38 y 6.0.x hasta 6.0.23. Un atacante que ha ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2019-18180 – Denial of service
https://notcve.org/view.php?id=CVE-2019-18180
05 Dec 2019 — Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. Una Comprobación Inapropiada de nombres de archivo con extensiones sumamente largas en ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 0CVE-2013-2625
https://notcve.org/view.php?id=CVE-2013-2625
27 Nov 2019 — An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19, OTRS ITSM before 3.2.3, 3.1.8, and 3.0.7, and FAQ before 2.2.3, 2.1.4, and 2.0.8. Access rights by the object linking mechanism is not verified Existe un problema de Omisión de Acceso en OTRS Help Desk versiones anteriores a la versión 3.2.4, 3.1.14 y 3.0.19, OTRS ITSM versiones anteriores a la versión 3.2.3, 3.1.8 y 3.0.7, y FAQ versiones anteriores a la versión 2.2.3, 2.1.4, y 2.0.8. Los derechos de acceso por el mecanismo d... • http://archives.neohapsis.com/archives/bugtraq/2013-08/0009.html • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-13458
https://notcve.org/view.php?id=CVE-2019-13458
21 Aug 2019 — An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords. Se descubrió un problema en Open Ticket Request System (OTRS) 7.0.x hasta 7.0.8, y Community Edition 5.0.x hasta 5.0.36 y 6.0.x hasta 6.0.19. Un atacante que haya iniciado sesión en OTRS... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-12746
https://notcve.org/view.php?id=CVE-2019-12746
21 Aug 2019 — An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user. Se descubrió un problema en el Open Ticket Request System (OTRS) Community Edition 5.0.x hasta 5.0.36 y 6.0.x hasta 6.0.19. Un usuario que inició ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11563
https://notcve.org/view.php?id=CVE-2018-11563
08 Jul 2019 — An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application. Se detectó un problema en Open Ticket Request System (OTRS) versión 6.0.x hasta 6.0.7. Un correo electrónico cuidadosamente construido podría ser utilizado para inyectar y ejecutar hojas de estilo o código JavaScript en un navegador de... • https://community.otrs.com/security-advisory-2018-02-security-update-for-otrs-framework •