8.8

CVE-2017-17476

Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OtrsOtrs Version >= 4.0.0 < 4.0.28
OtrsOtrs Version >= 5.0.0 < 5.0.26
OtrsOtrs Version >= 6.0.0 < 6.0.3
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.22% 0.804
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
Patch
Third Party Advisory
https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
Patch
Third Party Advisory
https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html
Third Party Advisory
Mailing List
https://www.debian.org/security/2017/dsa-4069
Third Party Advisory
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
Patch
Vendor Advisory