An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
CVSS Score
7.5
EPSS Score
0.004
Published
2022-10-17
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
CVSS Score
4.6
EPSS Score
0.004
Published
2022-09-05
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
CVSS Score
6.8
EPSS Score
0.002
Published
2022-09-05
An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
CVSS Score
3.5
EPSS Score
0.01
Published
2022-09-05
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.
CVSS Score
4.1
EPSS Score
0.002
Published
2020-11-23
The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors.
CVSS Score
6.5
EPSS Score
0.007
Published
2011-07-19
Page 2