Otrs ≫ Otrs

Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edit...

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Communi...

An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system

Article template contents with sensitive data could be accessed from agents without permissions.

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The...

Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package

An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.

A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.

Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.

When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.