CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36100 – Authenticated remote code execution
https://notcve.org/view.php?id=CVE-2021-36100
21 Mar 2022 — Specially crafted string in OTRS system configuration can allow the execution of any system command. Una cadena especialmente diseñada en la configuración del sistema OTRS puede permitir la ejecución de cualquier comando del sistema • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1778 – Bypassing user account validation
https://notcve.org/view.php?id=CVE-2020-1778
23 Nov 2020 — When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions. Cuando OTRS usa múltiples backends para la autenticación de usuarios (con LDAP), unos agentes pueden iniciar sesión incluso si la cuenta está ajustada como no válida. Este problema afecta a OTRS; versiones 8.0.9 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2020-16 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1776 – Invalidating or changing user does not invalidate session
https://notcve.org/view.php?id=CVE-2020-1776
20 Jul 2020 — When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions. Cuando un usuario de agente es renombrado o se establece como no válido, la sesión que pertenece al usuario se mantiene activa. • https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 9%CPEs: 54EXPL: 3CVE-2012-4751 – OTRS 3.1 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4751
22 Oct 2012 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Open Ticket Request System (OTRS) Help Desk v2.4.x antes de v2.4.15, v3... • https://www.exploit-db.com/exploits/22070 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 58EXPL: 3CVE-2012-4600 – OTRS 3.1 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4600
31 Aug 2012 — Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en Open System Request Ticket (OTRS) Help Desk v2.4.x antes de v2.4.14, v3.0.x antes de v3.0.16, y v3.1.x antes de v3.1.10, cuando se usa Firefo... • https://www.exploit-db.com/exploits/22070 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 65EXPL: 2CVE-2012-2582 – OTRS Open Technology Real Services 3.1.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2582
23 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element. Múltiples... • https://www.exploit-db.com/exploits/20359 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 79EXPL: 0CVE-2011-2746
https://notcve.org/view.php?id=CVE-2011-2746
29 Aug 2011 — Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors. Vulnerabilidad no especificada en Kernel/Modules/AdminPackageManager.pm en OTRS-Core en Open Ticket Request System (OTRS) v2.x antes de v2.4.11 y v3.x antes de v3.0.10. permite a administradores autenticados remotamente leer archivos de su elección a través de vector... • http://lists.opensuse.org/opensuse-updates/2011-09/msg00011.html •
CVSS: 6.1EPSS: 0%CPEs: 28EXPL: 0CVE-2011-1518
https://notcve.org/view.php?id=CVE-2011-1518
18 Apr 2011 — Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Open Ticket Request System (OTRS) v2.4.x anterior a v2.4.10 y 3.x anterior a v3.0.7 permite a atacantes remotos inyectar script web de su elección o HTML a través de vectores desconocidos. • http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0CVE-2011-1433
https://notcve.org/view.php?id=CVE-2011-1433
18 Mar 2011 — The (1) AgentInterface and (2) CustomerInterface components in Open Ticket Request System (OTRS) before 3.0.6 place cleartext credentials into the session data in the database, which makes it easier for context-dependent attackers to obtain sensitive information by reading the _UserLogin and _UserPW fields. Los componentes (1) AgentInterface y (2) CustomerInterface en Open Ticket Request System (OTRS) anterior a v3.0.6 coloca las credenciales sin cifrar en los datos de sesión en la base de datos, lo que hac... • http://bugs.otrs.org/show_bug.cgi?id=6878 • CWE-310: Cryptographic Issues •
CVSS: 3.5EPSS: 0%CPEs: 91EXPL: 1CVE-2009-5055
https://notcve.org/view.php?id=CVE-2009-5055
18 Mar 2011 — Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2. Open Ticket Request System (OTRS) anteriores a v2.4.4 permite el acceso a las subcadenas básicas de un dígito si... • http://bugs.otrs.org/show_bug.cgi?id=4105 • CWE-264: Permissions, Privileges, and Access Controls •