Vulnerabilities > Otrs > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-15 | CVE-2024-6540 | Unspecified vulnerability in Otrs Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. | 5.3 |
| 2024-01-29 | CVE-2024-23792 | Improper Authentication vulnerability in Otrs When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. | 6.5 |
| 2023-10-16 | CVE-2023-38059 | Unspecified vulnerability in Otrs The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. | 5.3 |
| 2023-10-16 | CVE-2023-5421 | Cross-site Scripting vulnerability in Otrs An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34. | 5.5 |
| 2023-07-24 | CVE-2023-38057 | Cross-site Scripting vulnerability in Otrs Survey An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. | 5.4 |
| 2023-07-24 | CVE-2023-38058 | Incorrect Authorization vulnerability in Otrs An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35. | 4.3 |
| 2023-04-16 | CVE-2018-17883 | Cross-site Scripting vulnerability in Otrs An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. | 6.1 |
| 2023-03-20 | CVE-2023-1248 | Cross-site Scripting vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 6.1 |
| 2022-10-17 | CVE-2022-39052 | Infinite Loop vulnerability in Otrs An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system | 6.5 |
| 2022-06-13 | CVE-2022-32739 | Unspecified vulnerability in Otrs Calendar Resource Planning and Otrs When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number. | 5.0 |