CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
21 Mar 2022 — Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
23 Nov 2020 — When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
20 Jul 2020 — When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 0%CPEs: 78EXPL: 0CVE-2008-7275
https://notcve.org/view.php?id=CVE-2008-7275
18 Mar 2011 — Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) AgentTicketMailbox or (2) CustomerTicketOverView. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Open Ticket Request System (OTRS) anteriores a v2.3.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con (1) AgentTick... • http://bugs.otrs.org/show_bug.cgi?id=3287 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 77EXPL: 0CVE-2008-7276
https://notcve.org/view.php?id=CVE-2008-7276
18 Mar 2011 — Kernel/System/Web/Request.pm in Open Ticket Request System (OTRS) before 2.3.2 creates a directory under /tmp/ with 1274 permissions, which might allow local users to bypass intended access restrictions via standard filesystem operations, related to incorrect interpretation of 0700 as a decimal value. Kernel/System/web/Request.pm en Open Ticket Request System (OTRS) anteriores a v2.3.2 crea un directorio en /tmp/ con permisos 1274, lo que podría permitir a usuarios locales eludir las restricciones de acceso... • http://bugs.otrs.org/show_bug.cgi?id=3133 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 74EXPL: 0CVE-2008-7277
https://notcve.org/view.php?id=CVE-2008-7277
18 Mar 2011 — Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets. Open Ticket Request System (OTRS) anteriores a v2.3.0-beta4 comprueba los permisos rw, en lugar de configurar el permiso de unión, durante el proceso de autorización de operaciones de combinación, lo que podría permitir a usuarios remo... • http://bugs.otrs.org/show_bug.cgi?id=3045 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 66EXPL: 0CVE-2008-7278
https://notcve.org/view.php?id=CVE-2008-7278
18 Mar 2011 — The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, and 2.3.x before 2.3.0-beta1, does not properly configure the RANDFILE environment variable for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seeding file. La función S/MIME en Open Ticket Request System (OTRS) anterior a v2.2.5, y v2.3.x anteriores a v2.3.0-beta1, no configura correctamen... • http://bugs.otrs.org/show_bug.cgi?id=2539 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 69EXPL: 0CVE-2008-7279
https://notcve.org/view.php?id=CVE-2008-7279
18 Mar 2011 — The CustomerInterface component in Open Ticket Request System (OTRS) before 2.2.8 allows remote authenticated users to bypass intended access restrictions and access tickets of arbitrary customers via unspecified vectors. El componente CustomerInterface en Open Ticket Request System (OTRS) anterior a v2.2.8 permite a usuarios remotos autenticados eludir las restricciones de acceso impuestas y los tickets clientes arbitrarios a través de vectores no especificados. • http://bugs.otrs.org/show_bug.cgi?id=3103 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 68EXPL: 0CVE-2008-7280
https://notcve.org/view.php?id=CVE-2008-7280
18 Mar 2011 — Kernel/System/EmailParser.pm in PostmasterPOP3.pl in Open Ticket Request System (OTRS) before 2.2.7 does not properly handle e-mail messages containing malformed UTF-8 characters, which allows remote attackers to cause a denial of service (e-mail retrieval outage) via a crafted message. Kernel/System/EmailParser.pm en PostmasterPOP3.pl en Open Ticket Request System (OTRS) anterior a v2.2.7 no controla correctamente los mensajes de correo electrónico con caracteres UTF-8 incorrectos, lo que permite a atacant... • http://bugs.otrs.org/show_bug.cgi?id=2934 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 68EXPL: 0CVE-2008-7281
https://notcve.org/view.php?id=CVE-2008-7281
18 Mar 2011 — Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field. Open Ticket Request System (OTRS) anteriores a v2.2.7 envía correos electrónicos que contienen un campo cabecera Bcc que lista los destinatarios de la BCC (copia carbón blindada) lo que permite a atacantes remotos obtener direcciones de correo sensibles leyendo est... • http://bugs.otrs.org/show_bug.cgi?id=1882 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •