6.5

CVE-2018-16587

In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OtrsOpen Ticket Request System Version >= 4.0.0 < 4.0.32
OtrsOpen Ticket Request System Version >= 5.0.0 < 5.0.30
OtrsOpen Ticket Request System Version >= 6.0.0 < 6.0.11
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.75% 0.75
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:N/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://www.debian.org/security/2018/dsa-4317
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html
Third Party Advisory
Mailing List
https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/
Patch
Vendor Advisory
https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01
Patch
https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843
Patch
https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711
Patch