Vulnerabilities > Otrs > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-22 | CVE-2021-21437 | Missing Authorization vulnerability in Otrs products Agents are able to see linked Config Items without permissions, which are defined in General Catalog. | 4.3 |
| 2021-02-08 | CVE-2021-21436 | Incorrect Default Permissions vulnerability in Otrs CIS in Customer Frontend 7.0.0/7.0.14 Agents are able to see and link Config Items without permissions, which are defined in General Catalog. | 4.3 |
| 2021-02-08 | CVE-2021-21435 | Information Exposure vulnerability in Otrs Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. | 6.5 |
| 2021-02-08 | CVE-2021-21434 | Cross-site Scripting vulnerability in Otrs Survey Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. | 4.8 |
| 2021-02-08 | CVE-2020-1779 | Information Exposure vulnerability in Otrs Ticket Forms When dynamic templates are used (OTRSTicketForms), admin can use OTRS tags which are not masked properly and can reveal sensitive information. | 4.9 |
| 2020-11-23 | CVE-2020-1778 | Improper Authentication vulnerability in Otrs When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. | 4.3 |
| 2020-10-15 | CVE-2020-1777 | Information Exposure vulnerability in Otrs Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. | 5.3 |
| 2020-07-20 | CVE-2020-1776 | Insufficient Session Expiration vulnerability in Otrs When an agent user is renamed or set to invalid the session belonging to the user is keept active. | 4.3 |
| 2020-06-08 | CVE-2020-1775 | Information Exposure vulnerability in Otrs BCC recipients in mails sent from OTRS are visible in article detail on external interface. | 4.3 |
| 2020-04-28 | CVE-2020-1774 | When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. | 4.9 |