Debian Otrs2 vulnerabilities

CVE-2017-17476 [HIGH] CVE-2017-17476: otrs2 - Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and ... Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. Scope: local bullseye: resolved (fixed in 6.0.3-1)

CVE-2017-14635 [HIGH] CVE-2017-14635: otrs2 - In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and... In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. Scope: local bullseye: resolved (fixed in 5.0.23-1)

CVE-2017-16854 [MEDIUM] CVE-2017-16854: otrs2 - In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through... In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. Scope: local bullseye: resolved (fixed in 6.0.2-1)

CVE-2016-9139 [MEDIUM] CVE-2016-9139: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.... Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. Scope: local bullseye: resolved (fixed in 5.0.14-1)

CVE-2014-1695 [MEDIUM] CVE-2014-1695: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.... Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. Scope: local bullseye: resolved (fixed in 3.3.5-1)

CVE-2014-9324 [MEDIUM] CVE-2014-9324: otrs2 - The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11,... The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. Scope: local bullseye: resolved (fixed in 3.3.9-3)

CVE-2014-2554 [MEDIUM] CVE-2014-2554: otrs2 - OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows rem... OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. Scope: local bullseye: resolved (fixed in 3.3.6-1)

CVE-2014-2553 [LOW] CVE-2014-2553: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.... Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. Scope: local bullseye: resolved (fixed in 3.3.6-1)

CVE-2014-1471 [HIGH] CVE-2014-1471: otrs2 - SQL injection vulnerability in the StateGetStatesByType function in Kernel/Syste... SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. Scope: local bullseye: resolved (fixed in 3.3.4-1)

CVE-2014-1694 [MEDIUM] CVE-2014-1694: otrs2 - Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPrefer... Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary user

CVE-2013-4717 [HIGH] CVE-2013-4717: otrs2 - Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help... Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/R

CVE-2013-2625 [MEDIUM] CVE-2013-2625: otrs2 - An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19... An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19, OTRS ITSM before 3.2.3, 3.1.8, and 3.0.7, and FAQ before 2.2.3, 2.1.4, and 2.0.8. Access rights by the object linking mechanism is not verified Scope: local bullseye: resolved (fixed in 3.1.7+dfsg1-8)

CVE-2013-4088 [MEDIUM] CVE-2013-4088: otrs2 - Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x ... Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism. Scope: local bullseye: resolved (fixed in 3.2.8-1)

CVE-2013-3551 [MEDIUM] CVE-2013-3551: otrs2 - Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x be... Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticke

CVE-2012-4751 [MEDIUM] CVE-2012-4751: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He... Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element. Scope: loca

CVE-2012-2582 [MEDIUM] CVE-2012-2582: otrs2 - Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request Syste... Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS

CVE-2012-4600 [LOW] CVE-2012-4600: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He... Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags. Scope: local bullseye: resolved (fixed in 3.1.7+dfsg1-5)

CVE-2011-0456 [HIGH] CVE-2011-0456: otrs2 - webscript.pl in Open Ticket Request System (OTRS) 2.3.4 and earlier allows remot... webscript.pl in Open Ticket Request System (OTRS) 2.3.4 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability." Scope: local bullseye: resolved (fixed in 2.4.5-1)

CVE-2011-1518 [MEDIUM] CVE-2011-1518: otrs2 - Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request Syste... Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Scope: local bullseye: resolved (fixed in 2.4.10+dfsg1-1)

CVE-2011-2385 [MEDIUM] CVE-2011-2385: otrs2 - The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticke... The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors. Scope: local bullseye: resolved