Filtered by vendor Otrs
Subscriptions
Filtered by product Otrs
Subscriptions
Total
135 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2010-4763 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
The ACL-customer-status Ticket Type setting in Open Ticket Request System (OTRS) before 3.0.0-beta1 does not restrict the ticket options after an AJAX reload, which allows remote authenticated users to bypass intended ACL restrictions on the (1) Status, (2) Service, and (3) Queue via selections. | ||||
CVE-2021-21439 | 1 Otrs | 1 Otrs | 2024-09-16 | 6.5 Medium |
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions. | ||||
CVE-2019-18180 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.3 Medium |
Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. | ||||
CVE-2022-39050 | 1 Otrs | 1 Otrs | 2024-09-16 | 4.6 Medium |
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap | ||||
CVE-2022-32740 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances. | ||||
CVE-2020-1768 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.4 Medium |
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | ||||
CVE-2021-36094 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.7 Medium |
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | ||||
CVE-2009-5055 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2. | ||||
CVE-2009-5056 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list. | ||||
CVE-2021-36096 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.2 Medium |
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. | ||||
CVE-2022-39052 | 1 Otrs | 1 Otrs | 2024-09-16 | 7.5 High |
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system | ||||
CVE-2008-7281 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field. | ||||
CVE-2020-1774 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2024-09-16 | 4.5 Medium |
When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. | ||||
CVE-2021-36091 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. | ||||
CVE-2021-36095 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.3 Medium |
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | ||||
CVE-2010-4071 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS 2.4.x before 2.4.9, when RichText is enabled, allows remote attackers to inject arbitrary web script or HTML via JavaScript in an HTML e-mail. | ||||
CVE-2010-4764 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.4.10, and 3.x before 3.0.3, does not present warnings about incoming encrypted e-mail messages that were based on revoked PGP or GPG keys, which makes it easier for remote attackers to spoof e-mail communication by leveraging a key that has a revocation signature. | ||||
CVE-2008-7277 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets. | ||||
CVE-2021-21440 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.2 Medium |
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions. | ||||
CVE-2008-7275 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) AgentTicketMailbox or (2) CustomerTicketOverView. |