Vulnerabilities > Otrs

DATE CVE VULNERABILITY TITLE RISK
2017-12-20 CVE-2017-17476 Information Exposure vulnerability in multiple products
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
network
otrs debian CWE-200
6.8
2017-12-08 CVE-2017-16854 Information Exposure vulnerability in multiple products
In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets.
network
low complexity
otrs debian CWE-200
4.0
2017-12-08 CVE-2017-16921 OS Command Injection vulnerability in multiple products
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
network
low complexity
otrs debian CWE-78
critical
9.0
2017-11-21 CVE-2017-16664 Code Injection vulnerability in multiple products
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20.
network
low complexity
otrs debian CWE-94
6.5
2017-11-16 CVE-2017-15864 In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
network
low complexity
otrs debian
4.0
2017-09-21 CVE-2017-14635 Improper Input Validation vulnerability in Otrs
In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection.
network
low complexity
otrs CWE-20
6.5
2017-06-12 CVE-2017-9324 Improper Privilege Management vulnerability in multiple products
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access.
network
low complexity
otrs debian CWE-269
6.5
2017-05-29 CVE-2017-9299 Cross-site Scripting vulnerability in Otrs 3.3.9
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks.
network
otrs CWE-79
4.3
2017-02-17 CVE-2016-9139 Cross-site Scripting vulnerability in Otrs
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment.
network
otrs CWE-79
4.3
2016-09-17 CVE-2016-5843 SQL Injection vulnerability in Otrs FAQ
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.
network
low complexity
otrs CWE-89
critical
9.0