Debian Otrs2 vulnerabilities
102 known vulnerabilities affecting debian/otrs2.
Total CVEs
102
CISA KEV
1
actively exploited
Public exploits
9
Exploited in wild
3
Severity breakdown
HIGH11MEDIUM55LOW36
Vulnerabilities
Page 4 of 6
CVE-2008-7278P4LOWCVSS 5.0fixed in otrs2 2.3.2-1 (bullseye)2008
CVE-2008-7278 [MEDIUM] CVE-2008-7278: otrs2 - The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, and 2.3.x ...
The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, and 2.3.x before 2.3.0-beta1, does not properly configure the RANDFILE environment variable for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seedin
debian
CVE-2016-9139P4MEDIUMCVSS 6.1fixed in otrs2 5.0.14-1 (bullseye)2016
CVE-2016-9139 [MEDIUM] CVE-2016-9139: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3....
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment.
Scope: local
bullseye: resolved (fixed in 5.0.14-1)
debian
CVE-2018-11563P4MEDIUMCVSS 4.6fixed in otrs2 6.0.8-1 (bullseye)2018
CVE-2018-11563 [MEDIUM] CVE-2018-11563: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7...
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application.
Scope: local
bullseye: resolved (fixed in 6.0.8-1)
debian
CVE-2011-2746P4LOWCVSS 4.0fixed in otrs2 2.4.7-1 (bullseye)2011
CVE-2011-2746 [MEDIUM] CVE-2011-2746: otrs2 - Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core ...
Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors.
Scope: local
bullseye: resolved (fixed in 2.4.7-1)
debian
CVE-2009-5057P4LOWCVSS 5.0fixed in otrs2 2.4.5-1 (bullseye)2009
CVE-2009-5057 [MEDIUM] CVE-2009-5057: otrs2 - The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 does not co...
The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 does not configure the RANDFILE and HOME environment variables for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seeding file.
Scope: local
bullseye:
debian
CVE-2019-12248P4MEDIUMCVSS 4.3fixed in otrs2 6.0.19-1 (bullseye)2019
CVE-2019-12248 [MEDIUM] CVE-2019-12248: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7...
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser to load external image resources.
Scope: local
bullseye: resolved (fixe
debian
CVE-2019-18179P4MEDIUMCVSS 4.3fixed in otrs2 6.0.24-1 (bullseye)2019
CVE-2019-18179 [MEDIUM] CVE-2019-18179: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.1...
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
Scope: local
bullseye: resolved (fixed in 6.0.24-
debian
CVE-2008-7280P4MEDIUMCVSS 5.0fixed in otrs2 2.2.7-1 (bullseye)2008
CVE-2008-7280 [MEDIUM] CVE-2008-7280: otrs2 - Kernel/System/EmailParser.pm in PostmasterPOP3.pl in Open Ticket Request System ...
Kernel/System/EmailParser.pm in PostmasterPOP3.pl in Open Ticket Request System (OTRS) before 2.2.7 does not properly handle e-mail messages containing malformed UTF-8 characters, which allows remote attackers to cause a denial of service (e-mail retrieval outage) via a crafted message.
Scope: local
bullseye: resolved (fixed in 2.2.7-1)
debian
CVE-2010-4764P4LOWCVSS 5.0fixed in otrs2 2.4.10+dfsg1-1 (bullseye)2010
CVE-2010-4764 [MEDIUM] CVE-2010-4764: otrs2 - Open Ticket Request System (OTRS) before 2.4.10, and 3.x before 3.0.3, does not ...
Open Ticket Request System (OTRS) before 2.4.10, and 3.x before 3.0.3, does not present warnings about incoming encrypted e-mail messages that were based on revoked PGP or GPG keys, which makes it easier for remote attackers to spoof e-mail communication by leveraging a key that has a revocation signature.
Scope: local
bullseye: resolved (fixed in 2.4.10+dfsg1-1)
debian
CVE-2020-1769P4LOWCVSS 3.5fixed in otrs2 6.0.27-1 (bullseye)2020
CVE-2020-1769 [LOW] CVE-2020-1769: otrs2 - In the login screens (in agent and customer interface), Username and Password fi...
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.27-1)
debian
CVE-2010-4767P4LOWCVSS 5.0fixed in otrs2 2.4.5-1 (bullseye)2010
CVE-2010-4767 [MEDIUM] CVE-2010-4767: otrs2 - Open Ticket Request System (OTRS) before 2.3.6 does not properly handle e-mail m...
Open Ticket Request System (OTRS) before 2.3.6 does not properly handle e-mail messages in which the From line contains UTF-8 characters associated with diacritical marks and an invalid charset, which allows remote attackers to cause a denial of service (duplicate tickets and duplicate auto-responses) by sending a crafted message to a POP3 mailbox.
Scope: local
bullse
debian
CVE-2011-1433P4LOWCVSS 5.0fixed in otrs2 3.0.8+dfsg1-1 (bullseye)2011
CVE-2011-1433 [MEDIUM] CVE-2011-1433: otrs2 - The (1) AgentInterface and (2) CustomerInterface components in Open Ticket Reque...
The (1) AgentInterface and (2) CustomerInterface components in Open Ticket Request System (OTRS) before 3.0.6 place cleartext credentials into the session data in the database, which makes it easier for context-dependent attackers to obtain sensitive information by reading the _UserLogin and _UserPW fields.
Scope: local
bullseye: resolved (fixed in 3.0.8+dfsg1-1)
debian
CVE-2010-4765P4LOWCVSS 4.9fixed in otrs2 2.4.8+dfsg1-1 (bullseye)2010
CVE-2010-4765 [MEDIUM] CVE-2010-4765: otrs2 - Race condition in the Kernel::System::Main::FileWrite method in Open Ticket Requ...
Race condition in the Kernel::System::Main::FileWrite method in Open Ticket Request System (OTRS) before 2.4.8 allows remote authenticated users to corrupt the TicketCounter.log data in opportunistic circumstances by creating tickets.
Scope: local
bullseye: resolved (fixed in 2.4.8+dfsg1-1)
debian
CVE-2018-16586P4MEDIUMCVSS 4.3fixed in otrs2 6.0.11-1 (bullseye)2018
CVE-2018-16586 [MEDIUM] CVE-2018-16586: otrs2 - In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, a...
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources.
Scope: local
bullseye: resolved (fixed in 6.0.11-1)
debian
CVE-2014-2554P4MEDIUMCVSS 4.3fixed in otrs2 3.3.6-1 (bullseye)2014
CVE-2014-2554 [MEDIUM] CVE-2014-2554: otrs2 - OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows rem...
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element.
Scope: local
bullseye: resolved (fixed in 3.3.6-1)
debian
CVE-2020-1767P4LOWCVSS 3.5fixed in otrs2 6.0.25-1 (bullseye)2020
CVE-2020-1767 [LOW] CVE-2020-1767: otrs2 - Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open...
Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
debian
CVE-2020-1776P4LOWCVSS 3.5fixed in otrs2 6.0.29-1 (bullseye)2020
CVE-2020-1776 [LOW] CVE-2020-1776: otrs2 - When an agent user is renamed or set to invalid the session belonging to the use...
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.29-1)
debian
CVE-2021-21443P4LOWCVSS 3.5fixed in otrs2 6.0.32-6 (bullseye)2021
CVE-2021-21443 [LOW] CVE-2021-21443: otrs2 - Agents are able to list customer user emails without required permissions in the...
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Scope: local
bullseye: resolved (fixed in 6.0.32-6)
debian
CVE-2021-36091P4LOWCVSS 3.5fixed in otrs2 6.0.32-6 (bullseye)2021
CVE-2021-36091 [LOW] CVE-2021-36091: otrs2 - Agents are able to list appointments in the calendars without required permissio...
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Scope: local
bullseye: resolved (fixed in 6.0.32-6)
debian
CVE-2007-2383P4LOWCVSS 5.0fixed in asterisk 1:1.6.2.0~rc3-1 (bullseye)2007
CVE-2007-2383 [MEDIUM] CVE-2007-2383: asterisk - The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using Java...
The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijack
debian