Filtered by vendor Otrs
Subscribe
Total
151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16854 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets.
|
|||||
| CVE-2017-9299 | 1 Otrs | 1 Otrs | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. NOTE: this CVE may have limited relevance because it represents a 2017 discovery of an issue in software from 2014. The 3.3.20 release, for example, is not affected.
|
|||||
| CVE-2017-14635 | 1 Otrs | 1 Otrs | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection.
|
|||||
| CVE-2016-9139 | 1 Otrs | 1 Otrs | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment.
|
|||||
| CVE-2017-17476 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
|
|||||
| CVE-2017-15864 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 4.0 MEDIUM | 8.8 HIGH |
|
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
|
|||||
| CVE-2017-16921 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
|
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
|
|||||
| CVE-2017-16664 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
|
|||||
| CVE-2017-9324 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
|
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end.
|
|||||
| CVE-2014-2553 | 1 Otrs | 1 Otrs | 2025-04-12 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.
|
|||||
| CVE-2014-9324 | 1 Otrs | 1 Otrs Help Desk | 2025-04-12 | 6.0 MEDIUM | N/A |
|
The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors.
|
|||||
| CVE-2014-1695 | 1 Otrs | 1 Otrs | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.
|
|||||
| CVE-2016-5843 | 1 Otrs | 1 Faq | 2025-04-12 | 9.0 HIGH | 9.4 CRITICAL |
|
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.
|
|||||
| CVE-2014-2554 | 2 Opensuse, Otrs | 2 Opensuse, Otrs | 2025-04-12 | 4.3 MEDIUM | N/A |
|
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element.
|
|||||
| CVE-2008-7277 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets.
|
|||||
| CVE-2010-4758 | 1 Otrs | 1 Otrs | 2025-04-11 | 1.9 LOW | N/A |
|
installer.pl in Open Ticket Request System (OTRS) before 3.0.3 has an Inbound Mail Password field that uses the text type, instead of the password type, for its INPUT element, which makes it easier for physically proximate attackers to obtain the password by reading the workstation screen.
|
|||||
| CVE-2012-4751 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.
|
|||||
| CVE-2010-3476 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080.
|
|||||
| CVE-2011-2385 | 1 Otrs | 2 Iphonehandle, Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
|
The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors.
|
|||||
| CVE-2008-7278 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, and 2.3.x before 2.3.0-beta1, does not properly configure the RANDFILE environment variable for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seeding file.
|
|||||
| CVE-2014-1471 | 1 Otrs | 1 Otrs | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.
|
|||||
| CVE-2011-2746 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.0 MEDIUM | N/A |
|
Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors.
|
|||||
| CVE-2008-7280 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Kernel/System/EmailParser.pm in PostmasterPOP3.pl in Open Ticket Request System (OTRS) before 2.2.7 does not properly handle e-mail messages containing malformed UTF-8 characters, which allows remote attackers to cause a denial of service (e-mail retrieval outage) via a crafted message.
|
|||||
| CVE-2010-4763 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
|
The ACL-customer-status Ticket Type setting in Open Ticket Request System (OTRS) before 3.0.0-beta1 does not restrict the ticket options after an AJAX reload, which allows remote authenticated users to bypass intended ACL restrictions on the (1) Status, (2) Service, and (3) Queue via selections.
|
|||||
| CVE-2008-7279 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
|
The CustomerInterface component in Open Ticket Request System (OTRS) before 2.2.8 allows remote authenticated users to bypass intended access restrictions and access tickets of arbitrary customers via unspecified vectors.
|
|||||
| CVE-2008-7282 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.6 MEDIUM | N/A |
|
Kernel/Output/HTML/CustomerNewTicketQueueSelectionGeneric.pm in Open Ticket Request System (OTRS) before 2.2.6, when the CustomerPanelOwnSelection and CustomerGroupSupport options are enabled, allows remote authenticated users to bypass intended access restrictions, and perform certain (1) list and (2) write operations on queues, via unspecified vectors.
|
|||||
| CVE-2010-4762 | 1 Otrs | 1 Otrs | 2025-04-11 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in the rich-text-editor component in Open Ticket Request System (OTRS) before 3.0.0-beta2 allows remote authenticated users to inject arbitrary web script or HTML by using the "source code" feature in the customer interface.
|
|||||
| CVE-2009-5057 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 does not configure the RANDFILE and HOME environment variables for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seeding file.
|
|||||
| CVE-2012-4600 | 1 Otrs | 2 Otrs, Otrs Itsm | 2025-04-11 | 2.6 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
|
|||||
| CVE-2010-4764 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 2.4.10, and 3.x before 3.0.3, does not present warnings about incoming encrypted e-mail messages that were based on revoked PGP or GPG keys, which makes it easier for remote attackers to spoof e-mail communication by leveraging a key that has a revocation signature.
|
|||||
| CVE-2010-4759 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.0 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 3.0.0-beta7 does not properly restrict the ticket ages that are within the scope of a search, which allows remote authenticated users to cause a denial of service (daemon hang) via a fulltext search.
|
|||||
| CVE-2009-5055 | 1 Otrs | 1 Otrs | 2025-04-11 | 3.5 LOW | N/A |
|
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2.
|
|||||
| CVE-2011-0456 | 1 Otrs | 1 Otrs | 2025-04-11 | 7.5 HIGH | N/A |
|
webscript.pl in Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability."
|
|||||
| CVE-2008-7281 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field.
|
|||||
| CVE-2010-4760 | 1 Otrs | 1 Otrs | 2025-04-11 | 3.5 LOW | N/A |
|
Open Ticket Request System (OTRS) before 3.0.0-beta6 adds email-notification-ext articles to tickets during processing of event-based notifications, which allows remote authenticated users to obtain potentially sensitive information by reading a ticket.
|
|||||
| CVE-2009-5056 | 1 Otrs | 1 Otrs | 2025-04-11 | 2.1 LOW | N/A |
|
Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly enforce the move_into permission setting for a queue, which allows remote authenticated users to bypass intended access restrictions and read a ticket by watching this ticket, and then selecting the ticket from the watched-tickets list.
|
|||||
| CVE-2008-7276 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.6 MEDIUM | N/A |
|
Kernel/System/Web/Request.pm in Open Ticket Request System (OTRS) before 2.3.2 creates a directory under /tmp/ with 1274 permissions, which might allow local users to bypass intended access restrictions via standard filesystem operations, related to incorrect interpretation of 0700 as a decimal value.
|
|||||
| CVE-2010-2080 | 1 Otrs | 1 Otrs | 2025-04-11 | 3.5 LOW | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2014-1694 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
|
|||||
| CVE-2010-4766 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The AgentTicketForward feature in Open Ticket Request System (OTRS) before 2.4.7 does not properly remove inline images from HTML e-mail messages, which allows remote attackers to obtain potentially sensitive image information in opportunistic circumstances by reading a forwarded message in a standard e-mail client.
|
|||||