Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-06-13
When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.
CVSS Score
3.5
EPSS Score
0.002
Published
2022-06-13
Specially crafted string in OTRS system configuration can allow the execution of any system command.
CVSS Score
6.4
EPSS Score
0.009
Published
2022-03-21
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.
CVSS Score
3.5
EPSS Score
0.005
Published
2022-03-21
Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-03-21
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
CVSS Score
3.5
EPSS Score
0.001
Published
2021-10-18
The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in Open Ticket Request System (OTRS) does not properly restrict use of the iPhoneHandle interface, which allows remote authenticated users to gain privileges, and consequently read or modify OTRS core objects, via unspecified vectors.
CVSS Score
6.5
EPSS Score
0.007
Published
2011-07-19
Page 3