Vulnerabilities > Otrs

DATE CVE VULNERABILITY TITLE RISK
2014-12-19 CVE-2014-9324 Permissions, Privileges, and Access Controls vulnerability in Otrs Help Desk
The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors.
network
otrs CWE-264
6.0
2014-04-23 CVE-2014-2554 Improper Input Validation vulnerability in multiple products
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element.
network
opensuse otrs CWE-20
4.3
2014-04-02 CVE-2014-2553 Cross-Site Scripting vulnerability in Otrs
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.
network
otrs CWE-79
3.5
2014-03-01 CVE-2014-1695 Cross-Site Scripting vulnerability in Otrs
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.
network
otrs CWE-79
4.3
2014-02-04 CVE-2014-1694 Cross-Site Request Forgery (CSRF) vulnerability in Otrs
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
network
otrs CWE-352
6.8
2014-02-04 CVE-2014-1471 SQL Injection vulnerability in Otrs
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.
network
low complexity
otrs CWE-89
7.5
2012-08-23 CVE-2012-2582 Cross-Site Scripting vulnerability in Otrs and Otrs Itsm
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element.
network
otrs CWE-79
4.3
2011-08-29 CVE-2011-2746 Local File Disclosure vulnerability in OTRS 'AdminPackageManager.pm'
Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors.
network
low complexity
otrs
4.0
2011-07-19 CVE-2011-2385 Permissions, Privileges, and Access Controls vulnerability in Otrs Iphonehandle and Otrs
The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors.
network
low complexity
otrs CWE-264
6.5
2011-04-18 CVE-2011-1518 Cross-Site Scripting vulnerability in Otrs
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
otrs CWE-79
4.3