CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-16854
https://notcve.org/view.php?id=CVE-2017-16854
08 Dec 2017 — In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. En Open Ticket Request System (OTRS) hasta la versión 3.3.20; en las versiones 4 hasta la 4.0.26; en las versiones 5 hasta la 5.0.24 y en las versiones 6 hasta la 6.0.1, un atacante que ha iniciado sesión como cliente puede emplear el formulario de búsqueda de... • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 1%CPEs: 70EXPL: 3CVE-2017-16921 – OTRS 5.0.x/6.0.x - Remote Command Execution
https://notcve.org/view.php?id=CVE-2017-16921
08 Dec 2017 — In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user. En OTRS en versiones 6.0.x hasta e incluyendo 6.0.1; OTRS 5.0.x hasta e incluyendo 5.0.24 y OTRS 4.0.x hasta e incluyendo 4.0.26, un atacante que haya iniciado sesión en OTRS como agente puede manipular ... • https://packetstorm.news/files/id/162295 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16664
https://notcve.org/view.php?id=CVE-2017-16664
21 Nov 2017 — Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. Existe inyección de código en Kernel/System/Spelling.pm en Open Ticket Request System (OTRS) 5 en versiones anteriores a la5.0.24; 4 en versiones anteriores a la 4.0.26 y 3.3 en versiones anteriores a la 3.3.20. En la interfaz del agente, ... • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-15864
https://notcve.org/view.php?id=CVE-2017-15864
16 Nov 2017 — In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. En Agent Frontend en Open Ticket Request System (OTRS) en sus versiones 3.3.x hasta la 3.3.18, con una URL manipulada es posible obtener información como el usuario y la contraseña de la base de datos. • https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html •
CVSS: 8.8EPSS: 0%CPEs: 82EXPL: 0CVE-2017-14635 – Debian Security Advisory 4021-1
https://notcve.org/view.php?id=CVE-2017-14635
21 Sep 2017 — In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. En OTRS (Open Ticket Request System) en versiones 3.3.x anteriores a la 3.3.18, 4.x anteriores a la 4.0.25 y 5.x anteriores a la 5.0.23, los usuarios autenticados remotos pueden utilizar los permisos de escritura de estadísticas para obtener privilegios mediante la inyección de código. It was discovered... • https://www.debian.org/security/2017/dsa-4021 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 1CVE-2017-9324 – Debian Security Advisory 3876-1
https://notcve.org/view.php?id=CVE-2017-9324
08 Jun 2017 — In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. En Open Ticket Request System (OTRS) versión 3.3.x hasta la versión 3.3.16, versi... • https://packetstorm.news/files/id/142862 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9299
https://notcve.org/view.php?id=CVE-2017-9299
29 May 2017 — Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. NOTE: this CVE may have limited relevance because it represents a 2017 discovery of an issue in software from 2014. The 3.3.20 release, for example, is not affected. Open Ticket Request System (OTRS) 3.3.9 tiene XSS en las peticiones index.pl? • http://code610.blogspot.com/2017/05/turnkey-feat-otrs.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 133EXPL: 0CVE-2016-9139
https://notcve.org/view.php?id=CVE-2016-9139
16 Feb 2017 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.3.x en versiones anteriores a 3.3.16, 4.0.x en versiones anteriores a 4.0.19 y 5.0.x en versiones anteriores a 5.0.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ad... • http://www.securityfocus.com/bid/94141 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2554 – Mandriva Linux Security Advisory 2014-111
https://notcve.org/view.php?id=CVE-2014-2554
23 Apr 2014 — OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. OTRS 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a atacantes remotos realizar ataques de clickjacking a través de un elemento IFRAME. A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS. An attacker could embed OTRS in a hidden iframe tag of another page, tr... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 54EXPL: 0CVE-2014-2553 – Mandriva Linux Security Advisory 2014-111
https://notcve.org/view.php?id=CVE-2014-2553
02 Apr 2014 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través de vectores relacionados con campos ... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •