Filtered by vendor Otrs
Subscriptions
Total
152 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2010-4766 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| The AgentTicketForward feature in Open Ticket Request System (OTRS) before 2.4.7 does not properly remove inline images from HTML e-mail messages, which allows remote attackers to obtain potentially sensitive image information in opportunistic circumstances by reading a forwarded message in a standard e-mail client. | ||||
| CVE-2020-1773 | 1 Otrs | 1 Otrs | 2024-09-16 | 7.3 High |
| An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | ||||
| CVE-2020-1772 | 3 Debian, Opensuse, Otrs | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-09-16 | 6.5 Medium |
| It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | ||||
| CVE-2010-4768 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions. | ||||
| CVE-2022-39049 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
| An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. | ||||
| CVE-2022-0473 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.8 Low |
| OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions. | ||||
| CVE-2010-4762 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| Cross-site scripting (XSS) vulnerability in the rich-text-editor component in Open Ticket Request System (OTRS) before 3.0.0-beta2 allows remote authenticated users to inject arbitrary web script or HTML by using the "source code" feature in the customer interface. | ||||
| CVE-2021-36097 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
| Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions. | ||||
| CVE-2022-3501 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
| Article template contents with sensitive data could be accessed from agents without permissions. | ||||
| CVE-2021-21435 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.7 Medium |
| Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions. | ||||
| CVE-2020-1775 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
| BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions. | ||||
| CVE-2010-4761 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| The customer-interface ticket-print dialog in Open Ticket Request System (OTRS) before 3.0.0-beta3 does not properly restrict customer-visible data, which allows remote authenticated users to obtain potentially sensitive information from the (1) responsible, (2) owner, (3) accounted time, (4) pending until, and (5) lock fields by reading this dialog. | ||||
| CVE-2020-1765 | 3 Debian, Opensuse, Otrs | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-09-16 | 3.5 Low |
| An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | ||||
| CVE-2022-0474 | 1 Otrs | 1 Custom Contact Fields | 2024-09-16 | 2.4 Low |
| Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions. | ||||
| CVE-2008-7280 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| Kernel/System/EmailParser.pm in PostmasterPOP3.pl in Open Ticket Request System (OTRS) before 2.2.7 does not properly handle e-mail messages containing malformed UTF-8 characters, which allows remote attackers to cause a denial of service (e-mail retrieval outage) via a crafted message. | ||||
| CVE-2010-4760 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| Open Ticket Request System (OTRS) before 3.0.0-beta6 adds email-notification-ext articles to tickets during processing of event-based notifications, which allows remote authenticated users to obtain potentially sensitive information by reading a ticket. | ||||
| CVE-2008-7283 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| Open Ticket Request System (OTRS) before 2.2.6, when customer group support is enabled, allows remote authenticated users to bypass intended access restrictions and perform web-interface updates to tickets by leveraging queue read permissions. | ||||
| CVE-2010-4758 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| installer.pl in Open Ticket Request System (OTRS) before 3.0.3 has an Inbound Mail Password field that uses the text type, instead of the password type, for its INPUT element, which makes it easier for physically proximate attackers to obtain the password by reading the workstation screen. | ||||
| CVE-2021-21437 | 1 Otrs | 2 Itsmconfigurationmanagement, Otrscisincustomerfrontend | 2024-09-16 | 3.5 Low |
| Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions | ||||
| CVE-2019-9751 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
| An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm. | ||||