Filtered by vendor Otrs
Subscribe
Total
151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-1518 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2010-4071 | 1 Otrs | 1 Otrs | 2025-04-11 | 2.6 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS 2.4.x before 2.4.9, when RichText is enabled, allows remote attackers to inject arbitrary web script or HTML via JavaScript in an HTML e-mail.
|
|||||
| CVE-2008-7275 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) AgentTicketMailbox or (2) CustomerTicketOverView.
|
|||||
| CVE-2011-1433 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The (1) AgentInterface and (2) CustomerInterface components in Open Ticket Request System (OTRS) before 3.0.6 place cleartext credentials into the session data in the database, which makes it easier for context-dependent attackers to obtain sensitive information by reading the _UserLogin and _UserPW fields.
|
|||||
| CVE-2010-0438 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
|
Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
|
|||||
| CVE-2010-4768 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.0 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions.
|
|||||
| CVE-2012-2582 | 1 Otrs | 2 Otrs, Otrs Itsm | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META elemen ...
Show More |
|||||
| CVE-2010-4765 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.9 MEDIUM | N/A |
|
Race condition in the Kernel::System::Main::FileWrite method in Open Ticket Request System (OTRS) before 2.4.8 allows remote authenticated users to corrupt the TicketCounter.log data in opportunistic circumstances by creating tickets.
|
|||||
| CVE-2010-4767 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 2.3.6 does not properly handle e-mail messages in which the From line contains UTF-8 characters associated with diacritical marks and an invalid charset, which allows remote attackers to cause a denial of service (duplicate tickets and duplicate auto-responses) by sending a crafted message to a POP3 mailbox.
|
|||||
| CVE-2010-4761 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.0 MEDIUM | N/A |
|
The customer-interface ticket-print dialog in Open Ticket Request System (OTRS) before 3.0.0-beta3 does not properly restrict customer-visible data, which allows remote authenticated users to obtain potentially sensitive information from the (1) responsible, (2) owner, (3) accounted time, (4) pending until, and (5) lock fields by reading this dialog.
|
|||||
| CVE-2008-7283 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.0 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 2.2.6, when customer group support is enabled, allows remote authenticated users to bypass intended access restrictions and perform web-interface updates to tickets by leveraging queue read permissions.
|
|||||
| CVE-2008-1515 | 1 Otrs | 1 Otrs | 2025-04-09 | 6.4 MEDIUM | N/A |
|
The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks."
|
|||||
| CVE-2007-2524 | 1 Otrs | 1 Otrs | 2025-04-09 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841.
|
|||||
| CVE-2005-3895 | 1 Otrs | 1 Otrs | 2025-04-03 | 5.8 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when AttachmentDownloadType is set to inline, renders text/html e-mail attachments as HTML in the browser when the queue moderator attempts to download the attachment, which allows remote attackers to execute arbitrary web script or HTML. NOTE: this particular issue is referred to as XSS by some sources.
|
|||||
| CVE-2005-3893 | 1 Otrs | 1 Otrs | 2025-04-03 | 7.5 HIGH | N/A |
|
Multiple SQL injection vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) user parameter in the Login action, and remote authenticated users via the (2) TicketID and (3) ArticleID parameters of the AgentTicketPlain action.
|
|||||
| CVE-2005-3894 | 1 Otrs | 1 Otrs | 2025-04-03 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) hex-encoded values in the QueueID parameter and (2) Action parameters.
|
|||||
| CVE-2025-24387 | 1 Otrs | 1 Otrs | 2025-03-24 | N/A | 4.8 MEDIUM |
|
A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive
cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
* OTRS 2025.x
|
|||||
| CVE-2023-38060 | 1 Otrs | 1 Otrs | 2025-02-13 | N/A | 6.3 MEDIUM |
|
Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment.
This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
|
|||||
| CVE-2022-4427 | 1 Otrs | 1 Otrs | 2025-02-13 | N/A | 6.5 MEDIUM |
|
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice
This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
|
|||||
| CVE-2018-17883 | 1 Otrs | 1 Otrs | 2025-02-06 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.
|
|||||
| CVE-2024-6540 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 5.7 MEDIUM |
|
Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator.
This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x
|
|||||
| CVE-2024-23794 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 5.2 MEDIUM |
|
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:
* 8.0.X
* 2023.X
* from 2024.X through 2024.4.x
|
|||||
| CVE-2024-23792 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 5.3 MEDIUM |
|
When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user. The attack requires a
logged-in other user to know the UUID. While the legitimate user
completes the comment, the malicious user can add more files to the
comment.
This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
|
|||||
| CVE-2024-23791 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 4.9 MEDIUM |
|
Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
|
|||||
| CVE-2024-23790 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 3.5 LOW |
|
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.
This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.
|
|||||
| CVE-2023-6254 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 8.1 HIGH |
|
A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response-
This issue affects OTRS: from 8.0.X through 8.0.37.
|
|||||
| CVE-2023-5422 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 8.7 HIGH |
|
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the
SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate
satisfies all necessary security requirements.
This could allow an
attacker to use an invalid certificate to claim to be a trusted host,
use expired certificates, or conduct other attacks that could be
detected if the certi ...
Show More |
|||||
| CVE-2023-5421 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 3.5 LOW |
|
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs
immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.
This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
|
|||||
| CVE-2023-38059 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
|
|||||
| CVE-2023-38058 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 4.1 MEDIUM |
|
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission.
This issue affects OTRS: from 8.0.X before 8.0.35.
|
|||||
| CVE-2023-38057 | 1 Otrs | 1 Survey | 2024-11-21 | N/A | 4.1 MEDIUM |
|
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.
This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.
|
|||||
| CVE-2023-38056 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 7.2 HIGH |
|
Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
|
|||||
| CVE-2023-2534 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 7.6 HIGH |
|
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via
ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation
and th ...
Show More |
|||||
| CVE-2023-1250 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 7.4 HIGH |
|
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names
This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
|
|||||
| CVE-2023-1248 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
|
|||||
| CVE-2022-3501 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 3.5 LOW |
|
Article template contents with sensitive data could be accessed from agents without permissions.
|
|||||
| CVE-2022-39052 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 7.5 HIGH |
|
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
|
|||||
| CVE-2022-39051 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
|
|||||
| CVE-2022-39050 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 4.6 MEDIUM |
|
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
|
|||||
| CVE-2022-39049 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 3.5 LOW |
|
An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
|
|||||