U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:otrs:otrs:4.0.20:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 9 matching records.
Displaying matches 1 through 9.
Vuln ID Summary CVSS Severity
CVE-2021-36100

Specially crafted string in OTRS system configuration can allow the execution of any system command.

Published: March 21, 2022; 6:15:07 AM -0400
V4.0:(not available)
V3.1: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2020-1778

When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.

Published: November 23, 2020; 11:15:13 AM -0500
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-17476

Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.

Published: December 20, 2017; 12:29:00 PM -0500
V4.0:(not available)
V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2017-16854

In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets.

Published: December 08, 2017; 12:29:00 PM -0500
V4.0:(not available)
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-16921

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.

Published: December 08, 2017; 10:29:00 AM -0500
V4.0:(not available)
V3.0: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2017-16664

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.

Published: November 21, 2017; 9:29:00 AM -0500
V4.0:(not available)
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-14635

In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection.

Published: September 21, 2017; 9:29:00 AM -0400
V4.0:(not available)
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-9324

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end.

Published: June 12, 2017; 2:29:00 AM -0400
V4.0:(not available)
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2011-2385

The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors.

Published: July 19, 2011; 4:55:01 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0: 6.5 MEDIUM