Vulnerabilities > Otrs > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-09 | CVE-2013-4717 | SQL Injection vulnerability in Otrs and Otrs Itsm Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. | 8.8 |
| 2021-06-16 | CVE-2021-21441 | Cross-site Scripting vulnerability in Otrs There is a XSS vulnerability in the ticket overview screens. | 7.5 |
| 2020-03-27 | CVE-2020-1773 | Insufficient Entropy vulnerability in Otrs An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. | 8.1 |
| 2020-03-27 | CVE-2020-1772 | It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. | 7.5 |
| 2019-12-05 | CVE-2019-18180 | Infinite Loop vulnerability in Otrs Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. | 7.5 |
| 2018-08-04 | CVE-2018-14593 | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. | 8.8 |
| 2018-03-04 | CVE-2018-7567 | Unrestricted Upload of File with Dangerous Type vulnerability in Otrs In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. | 7.2 |
| 2017-12-20 | CVE-2017-17476 | Information Exposure vulnerability in multiple products Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. | 8.8 |
| 2017-12-08 | CVE-2017-16921 | OS Command Injection vulnerability in multiple products In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user. | 8.8 |
| 2017-11-21 | CVE-2017-16664 | Code Injection vulnerability in multiple products Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. | 8.8 |