cbcvebase.

Debian Otrs2 vulnerabilities

102 known vulnerabilities affecting debian/otrs2.

Total CVEs
102
CISA KEV
1
actively exploited
Public exploits
9
Exploited in wild
3
Severity breakdown
HIGH11MEDIUM55LOW36

Vulnerabilities

Page 3 of 6
CVE-2008-1515P4MEDIUMCVSS 6.4fixed in otrs2 2.2.5-2 (bullseye)2008
CVE-2008-1515 [MEDIUM] CVE-2008-1515: otrs2 - The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remo... The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks." Scope: local bullseye: resolved (fixed in 2.2.5-2)
debian
CVE-2017-16854P4MEDIUMCVSS 6.5fixed in otrs2 6.0.2-1 (bullseye)2017
CVE-2017-16854 [MEDIUM] CVE-2017-16854: otrs2 - In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through... In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. Scope: local bullseye: resolved (fixed in 6.0.2-1)
debian
CVE-2018-20800P4MEDIUMCVSS 6.5fixed in otrs2 6.0.14-1 (bullseye)2018
CVE-2018-20800 [MEDIUM] CVE-2018-20800: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13. ... An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 and 6.0.13. Users updating to 6.0.13 (also patchlevel updates) or 5.0.31 (only major updates) will experience data loss in their agent preferences table. Scope: local bullseye: resolved (fixed in 6.0.14-1)
debian
CVE-2014-1694P4LOWCVSS 6.8fixed in otrs2 3.3.4-1 (bullseye)2014
CVE-2014-1694 [MEDIUM] CVE-2014-1694: otrs2 - Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPrefer... Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary user
debian
CVE-2008-7279P4MEDIUMCVSS 6.5fixed in otrs2 2.3.2-1 (bullseye)2008
CVE-2008-7279 [MEDIUM] CVE-2008-7279: otrs2 - The CustomerInterface component in Open Ticket Request System (OTRS) before 2.2.... The CustomerInterface component in Open Ticket Request System (OTRS) before 2.2.8 allows remote authenticated users to bypass intended access restrictions and access tickets of arbitrary customers via unspecified vectors. Scope: local bullseye: resolved (fixed in 2.3.2-1)
debian
CVE-2010-4763P4LOWCVSS 6.5fixed in otrs2 3.0.8+dfsg1-1 (bullseye)2010
CVE-2010-4763 [MEDIUM] CVE-2010-4763: otrs2 - The ACL-customer-status Ticket Type setting in Open Ticket Request System (OTRS)... The ACL-customer-status Ticket Type setting in Open Ticket Request System (OTRS) before 3.0.0-beta1 does not restrict the ticket options after an AJAX reload, which allows remote authenticated users to bypass intended ACL restrictions on the (1) Status, (2) Service, and (3) Queue via selections. Scope: local bullseye: resolved (fixed in 3.0.8+dfsg1-1)
debian
CVE-2021-21439P4MEDIUMCVSS 6.5fixed in otrs2 6.0.32-5 (bullseye)2021
CVE-2021-21439 [MEDIUM] CVE-2021-21439: otrs2 - DoS attack can be performed when an email contains specially designed URL in the... DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0
debian
CVE-2019-10066P4MEDIUMCVSS 5.4fixed in otrs2 6.0.18-1 (bullseye)2019
CVE-2019-10066 [MEDIUM] CVE-2019-10066: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, ... An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS. Sco
debian
CVE-2008-7277P4LOWCVSS 6.5fixed in otrs2 2.3.2-1 (bullseye)2008
CVE-2008-7277 [MEDIUM] CVE-2008-7277: otrs2 - Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permissio... Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets. Scope: local bullseye: resolved (fixed in 2.3.2-1)
debian
CVE-2010-4768P4LOWCVSS 6.0fixed in otrs2 2.4.5-1 (bullseye)2010
CVE-2010-4768 [MEDIUM] CVE-2010-4768: otrs2 - Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden ... Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions. S
debian
CVE-2018-17883P4MEDIUMCVSS 6.1fixed in otrs2 6.0.12-1 (bullseye)2018
CVE-2018-17883 [MEDIUM] CVE-2018-17883: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12... An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS. Scope: local bullseye: resolved (fixed in 6.0.12-1)
debian
CVE-2019-12497P4MEDIUMCVSS 5.3fixed in otrs2 6.0.19-1 (bullseye)2019
CVE-2019-12497 [MEDIUM] CVE-2019-12497: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8... An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes. Scope: local bullseye: resolved (fixed in 6.0.19-1)
debian
CVE-2019-16375P4MEDIUMCVSS 5.4fixed in otrs2 6.0.23-1 (bullseye)2019
CVE-2019-16375 [MEDIUM] CVE-2019-16375: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.1... An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed wh
debian
CVE-2020-1766P4LOWCVSS 2.0fixed in otrs2 6.0.25-1 (bullseye)2020
CVE-2020-1766 [LOW] CVE-2020-1766: otrs2 - Due to improper handling of uploaded images it is possible in very unlikely and ... Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 a
debian
CVE-2020-1765P4LOWCVSS 3.5fixed in otrs2 6.0.25-1 (bullseye)2020
CVE-2020-1765 [LOW] CVE-2020-1765: otrs2 - An improper control of parameters allows the spoofing of the from fields of the ... An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. Scope: loca
debian
CVE-2019-10067P4MEDIUMCVSS 5.4fixed in otrs2 6.0.18-1 (bullseye)2019
CVE-2019-10067 [MEDIUM] CVE-2019-10067: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 a... An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS. Scope: local bullseye: resolved (fixed in 6.0.18-1)
debian
CVE-2019-9752P4MEDIUMCVSS 5.4fixed in otrs2 6.0.16-1 (bullseye)2019
CVE-2019-9752 [MEDIUM] CVE-2019-9752: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, ... An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.
debian
CVE-2020-1771P4MEDIUMCVSS 4.6fixed in otrs2 6.0.27-1 (bullseye)2020
CVE-2020-1771 [MEDIUM] CVE-2020-1771: otrs2 - Attacker is able craft an article with a link to the customer address book with ... Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. Scope: local bullseye: resolved (fixed in 6.0.27-1)
debian
CVE-2008-7283P4MEDIUMCVSS 6.0fixed in otrs2 2.2.6-1 (bullseye)2008
CVE-2008-7283 [MEDIUM] CVE-2008-7283: otrs2 - Open Ticket Request System (OTRS) before 2.2.6, when customer group support is e... Open Ticket Request System (OTRS) before 2.2.6, when customer group support is enabled, allows remote authenticated users to bypass intended access restrictions and perform web-interface updates to tickets by leveraging queue read permissions. Scope: local bullseye: resolved (fixed in 2.2.6-1)
debian
CVE-2020-1774P4MEDIUMCVSS 4.5fixed in otrs2 6.0.28-1 (bullseye)2020
CVE-2020-1774 [MEDIUM] CVE-2020-1774: otrs2 - When user downloads PGP or S/MIME keys/certificates, exported file has same name... When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. Scope: local bullseye: r
debian
Debian Otrs2 vulnerabilities | cvebase