Filtered by vendor Otrs
Subscribe
Total
151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16921 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user. | |||||
| CVE-2017-14635 | 1 Otrs | 1 Otrs | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. | |||||
| CVE-2017-9299 | 1 Otrs | 1 Otrs | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. NOTE: this CVE may have limited relevance because it represents a 2017 discovery of an issue in software from 2014. The 3.3.20 release, for example, is not affected. | |||||
| CVE-2017-9324 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. | |||||
| CVE-2017-15864 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 4.0 MEDIUM | 8.8 HIGH |
| In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. | |||||
| CVE-2016-9139 | 1 Otrs | 1 Otrs | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. | |||||
| CVE-2017-16664 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. | |||||
| CVE-2017-16854 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. | |||||
| CVE-2017-17476 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. | |||||
| CVE-2014-2553 | 1 Otrs | 1 Otrs | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. | |||||
| CVE-2016-5843 | 1 Otrs | 1 Faq | 2025-04-12 | 9.0 HIGH | 9.4 CRITICAL |
| Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters. | |||||
| CVE-2014-9324 | 1 Otrs | 1 Otrs Help Desk | 2025-04-12 | 6.0 MEDIUM | N/A |
| The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. | |||||
| CVE-2014-2554 | 2 Opensuse, Otrs | 2 Opensuse, Otrs | 2025-04-12 | 4.3 MEDIUM | N/A |
| OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. | |||||
| CVE-2014-1695 | 1 Otrs | 1 Otrs | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. | |||||
| CVE-2012-4600 | 1 Otrs | 2 Otrs, Otrs Itsm | 2025-04-11 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags. | |||||
| CVE-2011-2385 | 1 Otrs | 2 Iphonehandle, Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
| The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors. | |||||
| CVE-2010-3476 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
| Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080. | |||||
| CVE-2008-7275 | 1 Otrs | 1 Otrs | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) before 2.3.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) AgentTicketMailbox or (2) CustomerTicketOverView. | |||||
| CVE-2010-4764 | 1 Otrs | 1 Otrs | 2025-04-11 | 5.0 MEDIUM | N/A |
| Open Ticket Request System (OTRS) before 2.4.10, and 3.x before 3.0.3, does not present warnings about incoming encrypted e-mail messages that were based on revoked PGP or GPG keys, which makes it easier for remote attackers to spoof e-mail communication by leveraging a key that has a revocation signature. | |||||
| CVE-2010-4760 | 1 Otrs | 1 Otrs | 2025-04-11 | 3.5 LOW | N/A |
| Open Ticket Request System (OTRS) before 3.0.0-beta6 adds email-notification-ext articles to tickets during processing of event-based notifications, which allows remote authenticated users to obtain potentially sensitive information by reading a ticket. | |||||