cbcvebase.

Otrs Ag Otrs vulnerabilities

75 known vulnerabilities affecting otrs_ag/otrs.

Total CVEs
75
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH14MEDIUM53LOW4

Vulnerabilities

Page 4 of 4
CVE-2021-21443P4MEDIUMCVSS 4.3≥ 7.0.x, < 7.0.272021-07-26
CVE-2021-21443 [MEDIUM] CWE-200 CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen. Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
nvd
CVE-2021-36091P4MEDIUMCVSS 4.3≥ 7.0.x, < 7.0.272021-07-26
CVE-2021-36091 [MEDIUM] CWE-200 CVE-2021-36091: Agents are able to list appointments in the calendars without required permissions. This issue affec Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
nvd
CVE-2026-6060P4MEDIUMCVSS 4.5v7.0.xv8.0.x+4 more2026-04-20
CVE-2026-6060 [MEDIUM] CWE-400 CVE-2026-6060: A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource cons A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X
nvd
CVE-2020-1778P4MEDIUMCVSS 4.3≥ 8.0.x, ≤ 8.0.92020-11-23
CVE-2020-1778 [MEDIUM] CWE-287 CVE-2020-1778: When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.
nvd
CVE-2021-36097P4MEDIUMCVSS 4.3≥ 8.0.x, ≤ 8.0.162021-10-18
CVE-2021-36097 [MEDIUM] CWE-266 CVE-2021-36097: Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it cou Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
nvd
CVE-2023-38058P4MEDIUMCVSS 4.3≥ 8.0.x, < 8.0.352023-07-24
CVE-2023-38058 [MEDIUM] CWE-269 CVE-2023-38058: An improper privilege check in the OTRS ticket move action in the agent interface allows any as ag An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.
nvd
CVE-2022-39049P4MEDIUMCVSS 4.8≥ 7.0.x, ≤ 7.0.36≥ 8.0.x, ≤ 8.0.242022-09-05
CVE-2022-39049 [MEDIUM] CWE-79 CVE-2022-39049: An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of Ja An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
nvd
CVE-2022-0473P4MEDIUMCVSS 4.8≥ 7.0.x, ≤ 7.0.312022-02-07
CVE-2022-0473 [MEDIUM] CWE-79 CVE-2022-0473: OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error me OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.
nvd
CVE-2021-21438P4MEDIUMCVSS 4.3≥ unspecified, ≤ 7.0.242021-03-22
CVE-2021-21438 [MEDIUM] CWE-264 CVE-2021-21438: Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
nvd
CVE-2022-1004P4MEDIUMCVSS 4.3≥ 7.0.x, ≤ 7.0.32≥ 8.0.x, ≤ 8.0.192022-03-21
CVE-2022-1004 [MEDIUM] CWE-200 CVE-2022-1004: Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::Ti Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
nvd
CVE-2020-1775P4MEDIUMCVSS 4.3≥ 7.0.x, ≤ 7.0.17≥ 8.0.x, ≤ 8.0.32020-06-08
CVE-2020-1775 [MEDIUM] CWE-200 CVE-2020-1775: BCC recipients in mails sent from OTRS are visible in article detail on external interface. This iss BCC recipients in mails sent from OTRS are visible in article detail on external interface. This issue affects OTRS: 8.0.3 and prior versions, 7.0.17 and prior versions.
nvd
CVE-2026-48190P4LOWCVSS 3.5v7.0.xv8.0.x+4 more2026-06-01
CVE-2026-48190 [LOW] CWE-276 CVE-2026-48190: An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allow An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026
nvd
CVE-2024-43446P4LOWCVSS 3.5v7.0.xv8.0.x+3 more2025-01-27
CVE-2024-43446 [LOW] CWE-269 CVE-2024-43446: An improper privilege management vulnerability in OTRS Generic Interface module allows change of the An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
nvd
CVE-2026-48191P4LOWCVSS 3.5v8.0.xv2023.x+3 more2026-06-01
CVE-2026-48191 [LOW] CWE-276 CVE-2026-48191: An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Documen An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.
nvd
CVE-2025-24388P4LOWCVSS 3.8v7.0.xv8.0.x+3 more2025-06-16
CVE-2025-24388 [LOW] CWE-184 CVE-2025-24388: A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow param A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very l
nvd
Otrs Ag Otrs vulnerabilities | cvebase