CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
21 Mar 2022 — Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4718
https://notcve.org/view.php?id=CVE-2013-4718
09 Aug 2021 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search. Una vulnerabilidad de tipo Cross-site scripting (XSS) en Open Ticket Request System (OTRS) ITSM versiones 3.0.x anteriores a 3.0.9, versiones 3.1.x anteriores a 3.1.10 y versiones 3.2.x anteriores a 3.2.7, permite a usuarios autenticados remotos inyectar script... • https://web.archive.org/web/20130817120539/http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2013-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
23 Nov 2020 — When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
20 Jul 2020 — When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 0%CPEs: 133EXPL: 0CVE-2016-9139
https://notcve.org/view.php?id=CVE-2016-9139
16 Feb 2017 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.3.x en versiones anteriores a 3.3.16, 4.0.x en versiones anteriores a 4.0.19 y 5.0.x en versiones anteriores a 5.0.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ad... • http://www.securityfocus.com/bid/94141 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2554 – Mandriva Linux Security Advisory 2014-111
https://notcve.org/view.php?id=CVE-2014-2554
23 Apr 2014 — OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. OTRS 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a atacantes remotos realizar ataques de clickjacking a través de un elemento IFRAME. A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS. An attacker could embed OTRS in a hidden iframe tag of another page, tr... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 54EXPL: 0CVE-2014-2553 – Mandriva Linux Security Advisory 2014-111
https://notcve.org/view.php?id=CVE-2014-2553
02 Apr 2014 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.21, 3.2.x anterior a 3.2.16 y 3.3.x anterior a 3.3.6 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través de vectores relacionados con campos ... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 48EXPL: 3CVE-2014-1695 – OTRS < 3.1.x / < 3.2.x / < 3.3.x - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1695
28 Feb 2014 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. Vulnerabilidad de XSS en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.20, 3.2.x anterior a 3.2.15 y 3.3.x anterior a 3.3.5 permite a atacantes remotos inyectar script Web o HTML arbitrarios a través de un email HTML manipulado. An attacker could send a specially prepare... • https://packetstorm.news/files/id/131654 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2014-1471 – Debian Security Advisory 2867-1
https://notcve.org/view.php?id=CVE-2014-1471
04 Feb 2014 — SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. Vulnerabilidad de inyección SQL en la función StateGetStatesByType en Kernel/System/State.pm en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a ata... • http://osvdb.org/102661 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 2%CPEs: 45EXPL: 3CVE-2014-1694 – Debian Security Advisory 2867-1
https://notcve.org/view.php?id=CVE-2014-1694
04 Feb 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets. Múltiples vulnerabilidades de CSRF en (1) CustomerPreferenc... • http://bugs.otrs.org/show_bug.cgi?id=10099 • CWE-352: Cross-Site Request Forgery (CSRF) •