CVE-2018-16587 — Improper Input Validation in Open Ticket Request System

CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 34.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Open Ticket Request System Debian Otrs2 Debian Linux

Timeline

PublishedSep 28

Latest updateMay 14

Description

In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDotrs/open_ticket_request_system4.0.0 — 4.0.32+2

▶debiandebian/otrs2< otrs2 6.0.11-1 (bullseye)

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: community.otrs.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-pr46-8w6c-393f: In Open Ticket Request System (OTRS) 4↗2022-05-14

▶

OSV

CVE-2018-16587: In Open Ticket Request System (OTRS) 4↗2018-09-28

▶

📋Vendor Advisories

Debian

CVE-2018-16587: otrs2 - In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, a...↗2018

▶