Shodan
Vulnerabilities
Vulnerable Software
Otrs:  >> Otrs  Security Vulnerabilities
CVE-2022-39050
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
CVSS Score
4.6
EPSS Score
0.004
Published
2022-09-05
CVE-2022-39051
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
CVSS Score
6.8
EPSS Score
0.002
Published
2022-09-05
CVE-2022-39049
An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
CVSS Score
3.5
EPSS Score
0.01
Published
2022-09-05
CVE-2022-32740
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.
CVSS Score
3.5
EPSS Score
0.003
Published
2022-06-13
CVE-2022-32741
Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
CVSS Score
5.3
EPSS Score
0.003
Published
2022-06-13
CVE-2022-32739
When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.
CVSS Score
3.5
EPSS Score
0.003
Published
2022-06-13
CVE-2021-36100
Specially crafted string in OTRS system configuration can allow the execution of any system command.
CVSS Score
6.4
EPSS Score
0.009
Published
2022-03-21
CVE-2022-0475
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.
CVSS Score
3.5
EPSS Score
0.005
Published
2022-03-21
CVE-2022-1004
Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-03-21
CVE-2022-0473
OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.
CVSS Score
3.8
EPSS Score
0.006
Published
2022-02-07


Products
Pricing
Contact Us

Shodan ® - All rights reserved