Filtered by vendor Otrs
Subscriptions
Total
152 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-36093 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.3 Medium |
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. | ||||
CVE-2008-7282 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Kernel/Output/HTML/CustomerNewTicketQueueSelectionGeneric.pm in Open Ticket Request System (OTRS) before 2.2.6, when the CustomerPanelOwnSelection and CustomerGroupSupport options are enabled, allows remote authenticated users to bypass intended access restrictions, and perform certain (1) list and (2) write operations on queues, via unspecified vectors. | ||||
CVE-2008-7276 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Kernel/System/Web/Request.pm in Open Ticket Request System (OTRS) before 2.3.2 creates a directory under /tmp/ with 1274 permissions, which might allow local users to bypass intended access restrictions via standard filesystem operations, related to incorrect interpretation of 0700 as a decimal value. | ||||
CVE-2021-21442 | 1 Otrs | 1 Time Accounting | 2024-09-16 | 4.5 Medium |
In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19. | ||||
CVE-2021-21443 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. | ||||
CVE-2010-4763 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
The ACL-customer-status Ticket Type setting in Open Ticket Request System (OTRS) before 3.0.0-beta1 does not restrict the ticket options after an AJAX reload, which allows remote authenticated users to bypass intended ACL restrictions on the (1) Status, (2) Service, and (3) Queue via selections. | ||||
CVE-2021-21439 | 1 Otrs | 1 Otrs | 2024-09-16 | 6.5 Medium |
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions. | ||||
CVE-2019-18180 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.3 Medium |
Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. | ||||
CVE-2022-39050 | 1 Otrs | 1 Otrs | 2024-09-16 | 4.6 Medium |
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap | ||||
CVE-2022-32740 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances. | ||||
CVE-2020-1768 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.4 Medium |
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. | ||||
CVE-2021-36094 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.7 Medium |
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. | ||||
CVE-2009-5055 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2. | ||||
CVE-2009-5056 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list. | ||||
CVE-2021-36096 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.2 Medium |
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. | ||||
CVE-2022-39052 | 1 Otrs | 1 Otrs | 2024-09-16 | 7.5 High |
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system | ||||
CVE-2008-7281 | 1 Otrs | 1 Otrs | 2024-09-16 | N/A |
Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field. | ||||
CVE-2020-1774 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2024-09-16 | 4.5 Medium |
When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. | ||||
CVE-2021-36091 | 1 Otrs | 1 Otrs | 2024-09-16 | 3.5 Low |
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27. | ||||
CVE-2021-36095 | 1 Otrs | 1 Otrs | 2024-09-16 | 5.3 Medium |
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. |