CVE-2017-17476 — Sensitive Information Exposure in Otrs

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.9%

top 24.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Debian Otrs2 Debian Linux

Timeline

PublishedDec 20

Latest updateMay 13

Description

Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDotrs/otrs4.0.0 — 4.0.28+2

▶debiandebian/otrs2< otrs2 6.0.3-1 (bullseye)

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-q5mp-v3f3-grhm: Open Ticket Request System (OTRS) 4↗2022-05-13

▶

OSV

CVE-2017-17476: Open Ticket Request System (OTRS) 4↗2017-12-20

▶

📋Vendor Advisories

Debian

CVE-2017-17476: otrs2 - Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and ...↗2017

▶