Otrs Ag Community Edition vulnerabilities
45 known vulnerabilities affecting otrs_ag/community_edition.
Total CVEs
45
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH10MEDIUM30LOW2
Vulnerabilities
Page 2 of 3
CVE-2024-43445P4MEDIUMCVSS 5.4≥ 6.0.x, ≤ 6.0.342025-01-27
CVE-2024-43445 [MEDIUM] CWE-20 CVE-2024-43445: A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response hea
A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 20
nvd
CVE-2021-36092P4MEDIUMCVSS 6.1≥ 6.0.1, < 6.0.x*2021-07-26
CVE-2021-36092 [MEDIUM] CWE-79 CVE-2021-36092: It's possible to create an email which contains specially crafted link and it can be used to perform
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
nvd
CVE-2020-1765P4MEDIUMCVSS 5.3v5.0.x version 5.0.39 and prior versionsv6.0.x version 6.0.24 and prior versions2020-01-10
CVE-2020-1765 [MEDIUM] CWE-472 CVE-2020-1765: An improper control of parameters allows the spoofing of the from fields of the following screens: A
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior v
nvd
CVE-2021-36095P4MEDIUMCVSS 5.3≥ 6.0.1, < unspecified2021-09-06
CVE-2021-36095 [MEDIUM] CWE-200 CVE-2021-36095: Malicious attacker is able to find out valid user logins by using the "lost password" feature. This
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
nvd
CVE-2023-5421P4MEDIUMCVSS 5.5≥ 6.0.x, ≤ 6.0.342023-10-16
CVE-2023-5421 [MEDIUM] CWE-20 CVE-2023-5421: An attacker who is logged into OTRS as an user with privileges to create and change customer user da
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs
immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.
This issue affects OTRS: from 7.0.X before
nvd
CVE-2023-38059P4MEDIUMCVSS 5.3≥ 6.0.x, ≤ 6.0.342023-10-16
CVE-2023-38059 [MEDIUM] CWE-200 CVE-2023-38059: The loading of external images is not blocked, even if configured, if the attacker uses protocol-rel
The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
nvd
CVE-2020-1771P4MEDIUMCVSS 5.4≥ 6.0.x, ≤ 6.0.262020-03-27
CVE-2020-1771 [MEDIUM] CWE-79 CVE-2020-1771: Attacker is able craft an article with a link to the customer address book with malicious content (J
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
nvd
CVE-2021-36094P4MEDIUMCVSS 5.4≥ 6.0.1, < 6.0.x*2021-09-06
CVE-2021-36094 [MEDIUM] CWE-79 CVE-2021-36094: It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. Th
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
nvd
CVE-2023-38057P4MEDIUMCVSS 5.4≥ 6.0.x, ≤ 6.0.222023-07-24
CVE-2023-38057 [MEDIUM] CWE-20 CVE-2023-38057: An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.
This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.
nvd
CVE-2021-36093P4MEDIUMCVSS 5.3≥ 6.0.1, < 6.0.x*2021-09-06
CVE-2021-36093 [MEDIUM] CWE-185 CVE-2021-36093: It's possible to create an email which can be stuck while being processed by PostMaster filters, cau
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
nvd
CVE-2020-1774P4MEDIUMCVSS 4.9v6.0.x <= 6.0.27v5.0.x <= 5.0.422020-04-28
CVE-2020-1774 [MEDIUM] CWE-201 CVE-2020-1774: When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and pub
When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.
nvd
CVE-2023-1248P4MEDIUMCVSS 6.1≥ 6.0.1, ≤ 6.0.342023-03-20
CVE-2023-1248 [MEDIUM] CWE-79 CVE-2023-1248: Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) C
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
nvd
CVE-2021-36096P4MEDIUMCVSS 4.9≥ 6.0.1, < 6.0.x*2021-09-06
CVE-2021-36096 [MEDIUM] CWE-200 CVE-2021-36096: Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. T
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
nvd
CVE-2024-43442P4MEDIUMCVSS 4.9v6.0.x2024-08-26
CVE-2024-43442 [MEDIUM] CWE-790 CVE-2024-43442: Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting')
Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins.
This issue affects:
* OTRS from 7.0.X through 7.0.50
* OTRS 8.0.X
* OTRS 2023.X
* OTRS from
nvd
CVE-2024-43443P4MEDIUMCVSS 4.9v6.0.x2024-08-26
CVE-2024-43443 [MEDIUM] CWE-790 CVE-2024-43443: Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting')
Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins.
This issue affects:
* OTRS from 7.0.X through 7.0.50
* OTRS 8.0.X
* OTRS 2023.X
* OTRS from 20
nvd
CVE-2020-1769P4MEDIUMCVSS 4.3≥ 5.0.x, ≤ 5.0.41≥ 6.0.x, ≤ 6.0.262020-03-27
CVE-2020-1769 [MEDIUM] CWE-16 CVE-2020-1769: In the login screens (in agent and customer interface), Username and Password fields use autocomplet
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
nvd
CVE-2022-39050P4MEDIUMCVSS 4.8≥ 6.0.1, < 6.0.x*2022-09-05
CVE-2022-39050 [MEDIUM] CWE-79 CVE-2022-39050: An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store Java
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
nvd
CVE-2020-1770P4MEDIUMCVSS 4.3≥ 5.0.x, ≤ 5.0.41≥ 6.0.x, ≤ 6.0.262020-03-27
CVE-2020-1770 [MEDIUM] CWE-201 CVE-2020-1770: Support bundle generated files could contain sensitive information that might be unwanted to be disc
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
nvd
CVE-2020-1767P4MEDIUMCVSS 4.3v6.0.x version 6.0.24 and prior versions2020-01-10
CVE-2020-1767 [MEDIUM] CVE-2020-1767: Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change t
Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prio
nvd
CVE-2020-1776P4MEDIUMCVSS 4.3≥ 6.0.x, ≤ 6.0.282020-07-20
CVE-2020-1776 [MEDIUM] CWE-613 CVE-2020-1776: When an agent user is renamed or set to invalid the session belonging to the user is keept active. T
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
nvd