Debian Otrs2 vulnerabilities
102 known vulnerabilities affecting debian/otrs2.
Total CVEs
102
CISA KEV
1
actively exploited
Public exploits
9
Exploited in wild
3
Severity breakdown
HIGH11MEDIUM55LOW36
Vulnerabilities
Page 5 of 6
CVE-2020-1770P4LOWCVSS 2.4fixed in otrs2 6.0.27-1 (bullseye)2020
CVE-2020-1770 [LOW] CVE-2020-1770: otrs2 - Support bundle generated files could contain sensitive information that might be...
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.27-1)
debian
CVE-2019-9751P4MEDIUMCVSS 4.8fixed in otrs2 6.0.17-1 (bullseye)2019
CVE-2019-9751 [MEDIUM] CVE-2019-9751: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 a...
An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.
Scope: local
bullseye: resolved (fixed in 6.0.17-1)
debian
CVE-2008-7282P4MEDIUMCVSS 4.6fixed in otrs2 2.2.6-1 (bullseye)2008
CVE-2008-7282 [MEDIUM] CVE-2008-7282: otrs2 - Kernel/Output/HTML/CustomerNewTicketQueueSelectionGeneric.pm in Open Ticket Requ...
Kernel/Output/HTML/CustomerNewTicketQueueSelectionGeneric.pm in Open Ticket Request System (OTRS) before 2.2.6, when the CustomerPanelOwnSelection and CustomerGroupSupport options are enabled, allows remote authenticated users to bypass intended access restrictions, and perform certain (1) list and (2) write operations on queues, via unspecified vectors.
Scope: local
debian
CVE-2010-3476P4LOWCVSS 3.5fixed in otrs2 2.4.8+dfsg1-1 (bullseye)2010
CVE-2010-3476 [LOW] CVE-2010-3476: otrs2 - Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does...
Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080.
Scope: local
bullseye: resolved (fixed in 2.4.8+dfsg1-1)
debian
CVE-2011-1518P4MEDIUMCVSS 4.3fixed in otrs2 2.4.10+dfsg1-1 (bullseye)2011
CVE-2011-1518 [MEDIUM] CVE-2011-1518: otrs2 - Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request Syste...
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Scope: local
bullseye: resolved (fixed in 2.4.10+dfsg1-1)
debian
CVE-2018-19142P4MEDIUMCVSS 4.8fixed in otrs2 6.0.13-1 (bullseye)2018
CVE-2018-19142 [MEDIUM] CVE-2018-19142: otrs2 - Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin to conduct...
Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin to conduct an XSS attack via a modified URL.
Scope: local
bullseye: resolved (fixed in 6.0.13-1)
debian
CVE-2018-19141P4MEDIUMCVSS 4.8fixed in otrs2 6.0.1-1 (bullseye)2018
CVE-2018-19141 [MEDIUM] CVE-2018-19141: otrs2 - Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 al...
Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before 5.0.31 allows an admin to conduct an XSS attack via a modified URL because user and customer preferences are mishandled.
Scope: local
bullseye: resolved (fixed in 6.0.1-1)
debian
CVE-2008-7275P4MEDIUMCVSS 4.3fixed in otrs2 2.3.3-1 (bullseye)2008
CVE-2008-7275 [MEDIUM] CVE-2008-7275: otrs2 - Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request Syste...
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) AgentTicketMailbox or (2) CustomerTicketOverView.
Scope: local
bullseye: resolved (fixed in 2.3.3-1)
debian
CVE-2018-10198P4MEDIUMCVSS 4.3fixed in otrs2 6.0.7-1 (bullseye)2018
CVE-2018-10198 [MEDIUM] CVE-2018-10198: otrs2 - An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged in...
An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose internal article information of their customer tickets.
Scope: local
bullseye: resolved (fixed in 6.0.7-1)
debian
CVE-2008-7281P4MEDIUMCVSS 4.3fixed in otrs2 2.2.7-1 (bullseye)2008
CVE-2008-7281 [MEDIUM] CVE-2008-7281: otrs2 - Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc hea...
Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing a Bcc header field that lists the Blind Carbon Copy recipients, which allows remote attackers to obtain potentially sensitive e-mail address information by reading this field.
Scope: local
bullseye: resolved (fixed in 2.2.7-1)
debian
CVE-2010-4759P4LOWCVSS 4.0fixed in otrs2 3.0.8+dfsg1-1 (bullseye)2010
CVE-2010-4759 [MEDIUM] CVE-2010-4759: otrs2 - Open Ticket Request System (OTRS) before 3.0.0-beta7 does not properly restrict ...
Open Ticket Request System (OTRS) before 3.0.0-beta7 does not properly restrict the ticket ages that are within the scope of a search, which allows remote authenticated users to cause a denial of service (daemon hang) via a fulltext search.
Scope: local
bullseye: resolved (fixed in 3.0.8+dfsg1-1)
debian
CVE-2010-4761P4LOWCVSS 4.0fixed in otrs2 3.0.8+dfsg1-1 (bullseye)2010
CVE-2010-4761 [MEDIUM] CVE-2010-4761: otrs2 - The customer-interface ticket-print dialog in Open Ticket Request System (OTRS) ...
The customer-interface ticket-print dialog in Open Ticket Request System (OTRS) before 3.0.0-beta3 does not properly restrict customer-visible data, which allows remote authenticated users to obtain potentially sensitive information from the (1) responsible, (2) owner, (3) accounted time, (4) pending until, and (5) lock fields by reading this dialog.
Scope: local
bull
debian
CVE-2009-5055P4LOWCVSS 3.5fixed in otrs2 2.4.5-1 (bullseye)2009
CVE-2009-5055 [LOW] CVE-2009-5055: otrs2 - Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis...
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to Cus
debian
CVE-2010-4766P4LOWCVSS 4.3fixed in otrs2 2.4.7+dfsg1-1 (bullseye)2010
CVE-2010-4766 [MEDIUM] CVE-2010-4766: otrs2 - The AgentTicketForward feature in Open Ticket Request System (OTRS) before 2.4.7...
The AgentTicketForward feature in Open Ticket Request System (OTRS) before 2.4.7 does not properly remove inline images from HTML e-mail messages, which allows remote attackers to obtain potentially sensitive image information in opportunistic circumstances by reading a forwarded message in a standard e-mail client.
Scope: local
bullseye: resolved (fixed in 2.4.7+dfsg
debian
CVE-2008-7276P4LOWCVSS 4.6fixed in otrs2 2.3.2-1 (bullseye)2008
CVE-2008-7276 [MEDIUM] CVE-2008-7276: otrs2 - Kernel/System/Web/Request.pm in Open Ticket Request System (OTRS) before 2.3.2 c...
Kernel/System/Web/Request.pm in Open Ticket Request System (OTRS) before 2.3.2 creates a directory under /tmp/ with 1274 permissions, which might allow local users to bypass intended access restrictions via standard filesystem operations, related to incorrect interpretation of 0700 as a decimal value.
Scope: local
bullseye: resolved (fixed in 2.3.2-1)
debian
CVE-2014-2553P4LOWCVSS 3.5fixed in otrs2 3.3.6-1 (bullseye)2014
CVE-2014-2553 [LOW] CVE-2014-2553: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3....
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.
Scope: local
bullseye: resolved (fixed in 3.3.6-1)
debian
CVE-2010-2080P4LOWCVSS 3.5fixed in otrs2 2.4.8+dfsg1-1 (bullseye)2010
CVE-2010-2080 [LOW] CVE-2010-2080: otrs2 - Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request Syste...
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Scope: local
bullseye: resolved (fixed in 2.4.8+dfsg1-1)
debian
CVE-2010-4762P4LOWCVSS 3.5fixed in otrs2 3.0.8+dfsg1-1 (bullseye)2010
CVE-2010-4762 [LOW] CVE-2010-4762: otrs2 - Cross-site scripting (XSS) vulnerability in the rich-text-editor component in Op...
Cross-site scripting (XSS) vulnerability in the rich-text-editor component in Open Ticket Request System (OTRS) before 3.0.0-beta2 allows remote authenticated users to inject arbitrary web script or HTML by using the "source code" feature in the customer interface.
Scope: local
bullseye: resolved (fixed in 3.0.8+dfsg1-1)
debian
CVE-2010-4760P4LOWCVSS 3.5fixed in otrs2 3.0.8+dfsg1-1 (bullseye)2010
CVE-2010-4760 [LOW] CVE-2010-4760: otrs2 - Open Ticket Request System (OTRS) before 3.0.0-beta6 adds email-notification-ext...
Open Ticket Request System (OTRS) before 3.0.0-beta6 adds email-notification-ext articles to tickets during processing of event-based notifications, which allows remote authenticated users to obtain potentially sensitive information by reading a ticket.
Scope: local
bullseye: resolved (fixed in 3.0.8+dfsg1-1)
debian
CVE-2010-4071P4LOWCVSS 2.6fixed in otrs2 2.4.9+dfsg1-1 (bullseye)2010
CVE-2010-4071 [LOW] CVE-2010-4071: otrs2 - Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS 2.4.x before...
Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS 2.4.x before 2.4.9, when RichText is enabled, allows remote attackers to inject arbitrary web script or HTML via JavaScript in an HTML e-mail.
Scope: local
bullseye: resolved (fixed in 2.4.9+dfsg1-1)
debian