Vulnerability Details CVE-2017-16664
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.7%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html
- https://www.debian.org/security/2017/dsa-4047
- https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/
- https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html
- https://www.debian.org/security/2017/dsa-4047
- https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/
Products affected by CVE-2017-16664
-
cpe:2.3:a:otrs:otrs:3.3.0
-
cpe:2.3:a:otrs:otrs:3.3.1
-
cpe:2.3:a:otrs:otrs:3.3.10
-
cpe:2.3:a:otrs:otrs:3.3.11
-
cpe:2.3:a:otrs:otrs:3.3.12
-
cpe:2.3:a:otrs:otrs:3.3.13
-
cpe:2.3:a:otrs:otrs:3.3.14
-
cpe:2.3:a:otrs:otrs:3.3.15
-
cpe:2.3:a:otrs:otrs:3.3.16
-
cpe:2.3:a:otrs:otrs:3.3.17
-
cpe:2.3:a:otrs:otrs:3.3.18
-
cpe:2.3:a:otrs:otrs:3.3.19
-
cpe:2.3:a:otrs:otrs:3.3.2
-
cpe:2.3:a:otrs:otrs:3.3.3
-
cpe:2.3:a:otrs:otrs:3.3.4
-
cpe:2.3:a:otrs:otrs:3.3.5
-
cpe:2.3:a:otrs:otrs:3.3.6
-
cpe:2.3:a:otrs:otrs:3.3.7
-
cpe:2.3:a:otrs:otrs:3.3.8
-
cpe:2.3:a:otrs:otrs:3.3.9
-
cpe:2.3:a:otrs:otrs:4.0.0
-
cpe:2.3:a:otrs:otrs:4.0.1
-
cpe:2.3:a:otrs:otrs:4.0.10
-
cpe:2.3:a:otrs:otrs:4.0.11
-
cpe:2.3:a:otrs:otrs:4.0.12
-
cpe:2.3:a:otrs:otrs:4.0.13
-
cpe:2.3:a:otrs:otrs:4.0.14
-
cpe:2.3:a:otrs:otrs:4.0.15
-
cpe:2.3:a:otrs:otrs:4.0.16
-
cpe:2.3:a:otrs:otrs:4.0.17
-
cpe:2.3:a:otrs:otrs:4.0.18
-
cpe:2.3:a:otrs:otrs:4.0.19
-
cpe:2.3:a:otrs:otrs:4.0.2
-
cpe:2.3:a:otrs:otrs:4.0.20
-
cpe:2.3:a:otrs:otrs:4.0.21
-
cpe:2.3:a:otrs:otrs:4.0.22
-
cpe:2.3:a:otrs:otrs:4.0.23
-
cpe:2.3:a:otrs:otrs:4.0.24
-
cpe:2.3:a:otrs:otrs:4.0.25
-
cpe:2.3:a:otrs:otrs:4.0.3
-
cpe:2.3:a:otrs:otrs:4.0.4
-
cpe:2.3:a:otrs:otrs:4.0.5
-
cpe:2.3:a:otrs:otrs:4.0.6
-
cpe:2.3:a:otrs:otrs:4.0.7
-
cpe:2.3:a:otrs:otrs:4.0.8
-
cpe:2.3:a:otrs:otrs:4.0.9
-
cpe:2.3:a:otrs:otrs:5.0.0
-
cpe:2.3:a:otrs:otrs:5.0.1
-
cpe:2.3:a:otrs:otrs:5.0.10
-
cpe:2.3:a:otrs:otrs:5.0.11
-
cpe:2.3:a:otrs:otrs:5.0.12
-
cpe:2.3:a:otrs:otrs:5.0.13
-
cpe:2.3:a:otrs:otrs:5.0.14
-
cpe:2.3:a:otrs:otrs:5.0.15
-
cpe:2.3:a:otrs:otrs:5.0.16
-
cpe:2.3:a:otrs:otrs:5.0.17
-
cpe:2.3:a:otrs:otrs:5.0.18
-
cpe:2.3:a:otrs:otrs:5.0.19
-
cpe:2.3:a:otrs:otrs:5.0.2
-
cpe:2.3:a:otrs:otrs:5.0.20
-
cpe:2.3:a:otrs:otrs:5.0.21
-
cpe:2.3:a:otrs:otrs:5.0.22
-
cpe:2.3:a:otrs:otrs:5.0.23
-
cpe:2.3:a:otrs:otrs:5.0.3
-
cpe:2.3:a:otrs:otrs:5.0.4
-
cpe:2.3:a:otrs:otrs:5.0.5
-
cpe:2.3:a:otrs:otrs:5.0.6
-
cpe:2.3:a:otrs:otrs:5.0.7
-
cpe:2.3:a:otrs:otrs:5.0.8
-
cpe:2.3:a:otrs:otrs:5.0.9
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0