Debian Otrs2 vulnerabilities
102 known vulnerabilities affecting debian/otrs2.
Total CVEs
102
CISA KEV
1
actively exploited
Public exploits
9
Exploited in wild
3
Severity breakdown
HIGH11MEDIUM55LOW36
Vulnerabilities
Page 2 of 6
CVE-2012-2582P4MEDIUMCVSS 4.3PoCfixed in otrs2 3.1.7+dfsg1-4 (bullseye)2012
CVE-2012-2582 [MEDIUM] CVE-2012-2582: otrs2 - Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request Syste...
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS
debian
CVE-2021-21441P3HIGHCVSS 7.5fixed in otrs2 6.0.32-5 (bullseye)2021
CVE-2021-21441 [HIGH] CVE-2021-21441: otrs2 - There is a XSS vulnerability in the ticket overview screens. It's possible to co...
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. O
debian
CVE-2020-1772P3MEDIUMCVSS 6.5fixed in otrs2 6.0.27-1 (bullseye)2020
CVE-2020-1772 [MEDIUM] CVE-2020-1772: otrs2 - It's possible to craft Lost Password requests with wildcards in the Token value,...
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.2
debian
CVE-2019-18180P3MEDIUMCVSS 5.3fixed in otrs2 6.0.24-1 (bullseye)2019
CVE-2019-18180 [MEDIUM] CVE-2019-18180: otrs2 - Improper Check for filenames with overly long extensions in PostMaster (sending ...
Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions
debian
CVE-2007-2524P4MEDIUMCVSS 4.3PoCfixed in otrs2 2.1.1-1 (bullseye)2007
CVE-2007-2524 [MEDIUM] CVE-2007-2524: otrs2 - Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request Syst...
Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841.
debian
CVE-2021-21252P3MEDIUMCVSS 5.3fixed in otrs2 6.0.32-4 (bullseye)2021
CVE-2021-21252 [MEDIUM] CVE-2021-21252: civicrm - The jQuery Validation Plugin provides drop-in validation for your existing forms...
The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
Scope: local
bullseye: open
debian
CVE-2008-7220P3LOWCVSS 7.5fixed in asterisk 1:1.6.2.0~rc3-1 (bullseye)2008
CVE-2008-7220 [HIGH] CVE-2008-7220: asterisk - Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before...
Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
Scope: local
bullseye: resolved (fixed in 1:1.6.2.0~rc3-1)
sid: resolved (fixed in 1:1.6.2.0~rc3-1)
debian
CVE-2013-4088P3MEDIUMCVSS 6.5fixed in otrs2 3.2.8-1 (bullseye)2013
CVE-2013-4088 [MEDIUM] CVE-2013-4088: otrs2 - Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x ...
Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.
Scope: local
bullseye: resolved (fixed in 3.2.8-1)
debian
CVE-2013-3551P3MEDIUMCVSS 6.5fixed in otrs2 3.2.7-1 (bullseye)2013
CVE-2013-3551 [MEDIUM] CVE-2013-3551: otrs2 - Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x be...
Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticke
debian
CVE-2012-4600P4LOWCVSS 2.6PoCfixed in otrs2 3.1.7+dfsg1-5 (bullseye)2012
CVE-2012-4600 [LOW] CVE-2012-4600: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He...
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
Scope: local
bullseye: resolved (fixed in 3.1.7+dfsg1-5)
debian
CVE-2019-9892P3MEDIUMCVSS 6.5fixed in otrs2 6.0.18-1 (bullseye)2019
CVE-2019-9892 [MEDIUM] CVE-2019-9892: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34,...
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.
Scope: local
bullseye: resolved (fi
debian
CVE-2021-41183P3MEDIUMCVSS 6.5fixed in jqueryui 1.13.0+dfsg-1 (bookworm)2021
CVE-2021-41183 [MEDIUM] CVE-2021-41183: jqueryui - jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0...
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accep
debian
CVE-2010-0438P3MEDIUMCVSS 6.5fixed in otrs2 2.4.7-1 (bullseye)2010
CVE-2010-0438 [MEDIUM] CVE-2010-0438: otrs2 - Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core i...
Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Scope: local
bullseye: resolved (fixed in 2.4.7-1)
debian
CVE-2018-16587P3MEDIUMCVSS 6.5fixed in otrs2 6.0.11-1 (bullseye)2018
CVE-2018-16587 [MEDIUM] CVE-2018-16587: otrs2 - In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, a...
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.
Scope: local
bullseye: resolved (fixed in 6.0.11-1)
debian
CVE-2019-13458P3MEDIUMCVSS 6.5fixed in otrs2 6.0.20-1 (bullseye)2019
CVE-2019-13458 [MEDIUM] CVE-2019-13458: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8...
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.
Scope: local
bullseye: resolved (fixed in
debian
CVE-2013-2625P4MEDIUMCVSS 6.5fixed in otrs2 3.1.7+dfsg1-8 (bullseye)2013
CVE-2013-2625 [MEDIUM] CVE-2013-2625: otrs2 - An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19...
An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19, OTRS ITSM before 3.2.3, 3.1.8, and 3.0.7, and FAQ before 2.2.3, 2.1.4, and 2.0.8. Access rights by the object linking mechanism is not verified
Scope: local
bullseye: resolved (fixed in 3.1.7+dfsg1-8)
debian
CVE-2018-19143P4MEDIUMCVSS 6.5fixed in otrs2 6.0.13-1 (bullseye)2018
CVE-2018-19143 [MEDIUM] CVE-2018-19143: otrs2 - Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and ...
Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and 6.0.x before 6.0.13 allows an authenticated user to delete files via a modified submission form because upload caching is mishandled.
Scope: local
bullseye: resolved (fixed in 6.0.13-1)
debian
CVE-2021-21440P4MEDIUMCVSS 5.2fixed in otrs2 6.0.32-6 (bullseye)2021
CVE-2021-21440 [MEDIUM] CVE-2021-21440: otrs2 - Generated Support Bundles contains private S/MIME and PGP keys if containing fol...
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.32-6)
debian
CVE-2014-9324P4MEDIUMCVSS 6.0fixed in otrs2 3.3.9-3 (bullseye)2014
CVE-2014-9324 [MEDIUM] CVE-2014-9324: otrs2 - The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11,...
The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors.
Scope: local
bullseye: resolved (fixed in 3.3.9-3)
debian
CVE-2019-12746P4MEDIUMCVSS 6.5fixed in otrs2 6.0.20-1 (bullseye)2019
CVE-2019-12746 [MEDIUM] CVE-2019-12746: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5...
An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.
Sc
debian