Vulnerabilities > Otrs > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-26 | CVE-2021-21443 | Unspecified vulnerability in Otrs Agents are able to list customer user emails without required permissions in the bulk action screen. | 4.3 |
| 2021-07-26 | CVE-2021-36091 | Incorrect Authorization vulnerability in Otrs Agents are able to list appointments in the calendars without required permissions. | 4.3 |
| 2021-07-26 | CVE-2021-36092 | Cross-site Scripting vulnerability in Otrs It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. | 4.3 |
| 2021-06-14 | CVE-2021-21439 | Improper Handling of Exceptional Conditions vulnerability in Otrs DoS attack can be performed when an email contains specially designed URL in the body. | 6.5 |
| 2021-03-22 | CVE-2021-21438 | Incorrect Default Permissions vulnerability in Otrs FAQ and Otrs Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). | 4.0 |
| 2021-03-22 | CVE-2021-21437 | Missing Authorization vulnerability in Otrs products Agents are able to see linked Config Items without permissions, which are defined in General Catalog. | 4.3 |
| 2021-02-08 | CVE-2021-21436 | Incorrect Default Permissions vulnerability in Customer Frontend 7.0.0/7.0.14 Agents are able to see and link Config Items without permissions, which are defined in General Catalog. | 4.0 |
| 2021-02-08 | CVE-2021-21435 | Information Exposure vulnerability in Otrs Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. | 4.3 |
| 2021-02-08 | CVE-2020-1779 | Information Exposure vulnerability in Otrs Ticket Forms When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. | 4.0 |
| 2020-11-23 | CVE-2020-1778 | Improper Authentication vulnerability in Otrs When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. | 4.0 |