Download
| Alert*
|
oval:org.secpod.oval:def:602932
otrs is installed oval:org.secpod.oval:def:2005604 An issue was discovered in Open Ticket Request System 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm. oval:org.secpod.oval:def:601903 Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered a privilege escalation vulnerability in otrs2, the Open Ticket Request System. An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is con ... oval:org.secpod.oval:def:2005605 An issue was discovered in Open Ticket Request System 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is rela ... oval:org.secpod.oval:def:603545 Three vulnerabilities were discovered in the Open Ticket Request System which could result in privilege escalation or denial of service. oval:org.secpod.oval:def:53439 Three vulnerabilities were discovered in the Open Ticket Request System which could result in privilege escalation or denial of service. oval:org.secpod.oval:def:603186 Two vulnerabilities were discovered in the Open Ticket Request System which could result in disclosure of database credentials or the execution of arbitrary shell commands by logged-in agents. oval:org.secpod.oval:def:53195 Two vulnerabilities were discovered in the Open Ticket Request System which could result in disclosure of database credentials or the execution of arbitrary shell commands by logged-in agents. oval:org.secpod.oval:def:600875 It was discovered that otrs2, a ticket request system, contains a cross-site scripting vulnerability when email messages are viewed using Internet Explorer. This update also improves the HTML security filter to detect tag nesting. oval:org.secpod.oval:def:601080 It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise user-supplied data that is used on SQL queries. An attacker with a valid agent login could exploit this issue to craft SQL queries by injecting arbitrary SQL code through manipulated URLs. oval:org.secpod.oval:def:601044 A vulnerability has been discovered in the Open Ticket Request System, which can be exploited by malicious users to disclose potentially sensitive information. An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets and they are not permitt ... oval:org.secpod.oval:def:601317 otrs2 is installed oval:org.secpod.oval:def:601220 Several vulnerabilities were discovered in otrs2, the Open Ticket Request System. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-1471 Norihiro Tanaka reported missing challenge token checks. An attacker that managed to take over the session of a logged i ... oval:org.secpod.oval:def:601060 It was discovered that users with a valid agent login could use crafted URLs to bypass access control restrictions and read tickets to which they should not have access. The oldstable distribution is not affected by this problem. oval:org.secpod.oval:def:600521 Multiple cross-site scripting vulnerabilities were discovered in Open Ticket Request System , a trouble-ticket system. In addition, this security update a failure when upgrading the package from lenny to squeeze. The oldstable distribution is not affected by this problem. oval:org.secpod.oval:def:2005606 An issue was discovered in Open Ticket Request System 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OT ... oval:org.secpod.oval:def:2005608 An issue was discovered in Open Ticket Request System 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary f ... oval:org.secpod.oval:def:1901546 An attacker could send an email with a malicious link to an OTRS system or an agent. If a logged in agent opens this link, it could cause the execution of JavaScript in the context of OTRS. oval:org.secpod.oval:def:603218 Francesco Sirocco discovered a flaw in otrs2, the Open Ticket Request System, which could result in session information disclosure when cookie support is disabled. A remote attacker can take advantage of this flaw to take over an agent"s session if the agent is tricked into clicking a link in a spec ... oval:org.secpod.oval:def:603216 Two vulnerabilities were discovered in the Open Ticket Request System which could result in information disclosure or the execution of arbitrary shell commands by logged-in agents. oval:org.secpod.oval:def:1900318 Open Ticket Request System 4.0.x before 4.0.28, 5.0.x before 5.0.26,and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. oval:org.secpod.oval:def:53212 Two vulnerabilities were discovered in the Open Ticket Request System which could result in information disclosure or the execution of arbitrary shell commands by logged-in agents. oval:org.secpod.oval:def:53214 Francesco Sirocco discovered a flaw in otrs2, the Open Ticket Request System, which could result in session information disclosure when cookie support is disabled. A remote attacker can take advantage of this flaw to take over an agent"s session if the agent is tricked into clicking a link in a spec ... oval:org.secpod.oval:def:1900281 In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user. oval:org.secpod.oval:def:1900295 Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation. oval:org.secpod.oval:def:1901238 In Open Ticket Request System 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in qu ... oval:org.secpod.oval:def:602924 Joerg-Thomas Vogt discovered that the SecureMode was insufficiently validated in the OTRS ticket system, which could allow agents to escalate their privileges. oval:org.secpod.oval:def:1901353 Cross-site scripting vulnerability in Open Ticket Request System 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. oval:org.secpod.oval:def:1901409 In Open Ticket Request System 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. oval:org.secpod.oval:def:1901380 In Open Ticket Request System through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. oval:org.secpod.oval:def:2000424 ** DISPUTED ** In the Admin Package Manager in Open Ticket Request System 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the ... |
