Security Advisories

Subscribe to the "announcement" mailing list to stay up-to-date about releases and security updates.

Release name Release date Titel References Risk level Details
OTRS Security Advisory 2019-01 01/18/2019 Stored XSS CVE-2019-9752 LOW January 18, 2019 —  

Security Advisory Details
  • ID: OSA-2019-01
  • Date: 2019-01-18
  • Title: Stored XSS
  • Severity: 3.2. low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.4, OTRS 6.0.16, OTRS 5.0.34read more
OTRS Security Advisory 2019-02 03/01/2019 XSS CVE-2019-9751 LOW March 01, 2019 —  

Security Advisory Details
  • ID: OSA-2019-02
  • Date: 2019-03-01
  • Title: XSS
  • Severity: 3.2 low
  • Product: OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 7.0.5, OTRS 6.0.17
  • FULL CVSS v3 VECTOR: CVSS
    read more
OTRS Security Advisory 2019-03 03/08/2019 Information Disclosure CVE-2019-9753 LOW March 08, 2019 —  

Security Advisory Details
  • ID: OSA-2019-03
  • Date: 2019-03-08
  • Title: Information Disclosure
  • Severity: 3.1. low
  • Product: OTRS 7.0.x, ITSMConfigurationManagement 7.0.x
  • Fixed in: OTRS 7.0.5, ITSMCo
    read more
OTRS Security Advisory 2019-04 04/26/2019 XXE Processing CVE-2019-9892 MEDIUM April 26, 2019 —  

Security Advisory Details
  • ID: OSA-2019-04
  • Date: 2019-04-26
  • Title: XXE Processing
  • Severity: 6.1 medium
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.7, OTRS 6.0.18, OTRS 5.0.3
    read more
OTRS Security Advisory 2019-05 04/26/2019 Reflected and Stored XSS CVE-2019-10067 LOW April 26, 2019 —  

Security Advisory Details
  • ID: OSA-2019-05
  • Date: 2019-04-26
  • Title: Reflected and Stored XSS
  • Severity: 3.1 low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.7, OTRS 6.0.18, OTR
    read more
OTRS Security Advisory 2019-06 04/26/2019 Stored XSS CVE-2019-10066 LOW April 26, 2019 —  

Security Advisory Details
  • ID: OSA-2019-06
  • Date: 2019-04-26
  • Title: Stored XSS
  • Severity: 3.7 low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRSAppointmentCalendar 5.0.x
  • Fixed in: OTRS 7.0.7, OTRS 6.0.18
    read more
OTRS Security Advisory 2019-07 04/26/2019 Information Disclosure CVE-2019-10065 LOW April 26, 2019 —  

Security Advisory Details
  • ID: OSA-2019-07
  • Date: 2019-04-26
  • Title: Information Disclosure
  • Severity: 3.1. low
  • Product: OTRS 7.0.x
  • Fixed in: OTRS 7.0.7
  • FULL CVSS v3 VECTOR: CVSS:3.0/
    read more
OTRS Security Advisory 2019-08 05/31/2019 Loading External Image Resources CVE-2019-12248 LOW May 31, 2019 —  

Security Advisory Details
  • ID: OSA-2019-08
  • Date: 2019-05-31
  • Title: Loading External Image Resources
  • Severity: 3.5. low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.8, OTRS 6.0.
    read more
OTRS Security Advisory 2019-09 05/31/2019 Information Disclosure CVE-2019-12497 LOW May 31, 2019 —  

Security Advisory Details
  • ID: OSA-2019-09
  • Date: 2019-05-31
  • Title: Information Disclosure
  • Severity: 2.8. low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.8, OTRS 6.0.19, OTRS 5
    read more
OTRS Security Advisory 2019-10 07/12/2019 Information Disclosure CVE-2019-12746 LOW July 12, 2019 —  

Security Advisory Details
  • ID: OSA-2019-10
  • Date: 2019-07-12
  • Title: Information Disclosure
  • Severity: 3.1. low
  • Product: OTRS 6.0.x, OTRSBusiness 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 6.0.20, OTRSBusin
    read more
OTRS Security Advisory 2019-11 07/12/2019 Information Disclosure CVE-2019-13457 LOW July 12, 2019 —  

Security Advisory Details
  • ID: OSA-2019-11
  • Date: 2019-07-12
  • Title: Information Disclosure
  • Severity: 3.8. low
  • Product: OTRS 7.0.x
  • Fixed in: OTRS 7.0.9
  • FULL CVSS v3 VECTOR: CVSS:3.0/A
    read more
OTRS Security Advisory 2019-12 07/12/2019 Information Disclosure CVE-2019-13458 LOW July 12, 2019 —  

Security Advisory Details
  • ID: OSA-2019-12
  • Date: 2019-07-12
  • Title: Information Disclosure
  • Severity: 2.4. low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.9, OTRS 6.0.20, OTRS
    read more
OTRS Security Advisory 2019-13 10/04/2019 Stored XSS CVE-2019-16375 LOW October 04, 2019 —  

Security Advisory Details
  • ID: OSA-2019-13
  • Date: 2019-09-03
  • Title: Stored XSS
  • Severity: 3.2 Low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.12, OTRS 6.0.23, OTRS 5.0.38read more
OTRS Security Advisory 2019-14 11/15/2019 Information Disclosure CVE-2019-18179 LOW November 15, 2019 —  

Security Advisory Details
  • ID: OSA-2019-14
  • Date: 2019-11-15
  • Title: Information Disclosure
  • Severity: Low
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.13, OTRS 6.0.24, OTRS
    read more
OTRS Security Advisory 2019-15 11/15/2019 Denial of service CVE-2019-18180 MEDIUM November 15, 2019 —  

Security Advisory Details
  • ID: OSA-2019-15
  • Date: 2019-11-15
  • Title: Denial of service
  • Severity: Medium
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.13, OTRS 6.0.24, OTRS 5.
    read more
OTRS Security Advisory 2020-01 01/10/2020 Spoofing of From field in several screens CVE-2020-1765 LOW January 10, 2020 —

Security Advisory Details
  • ID: OSA-2020-01
  • Date: 2020-01-10
  • Title: Spoofing of From field in several screens
  • Severity: 3.5. LOW
  • Product: OTRS 7.0.x, ((OTRS)) Community Edition 6.0.x, ((OTRS)) Community Edition 5.0.x
  • Fixed in:
    read more
OTRS Security Advisory 2020-02 01/10/2020 Improper handling of uploaded inline images CVE-2020-1766 LOW January 10, 2020 —

Security Advisory Details
  • ID: OSA-2020-02
  • Date: 2020-01-10
  • Title: Improper handling of uploaded inline images
  • Severity: 2.0 LOW
  • Product: OTRS 7.0.x, ((OTRS)) Community Edition 6.0.x, ((OTRS)) Community Edition 5.0.x
  • Fixed in
    read more
OTRS Security Advisory 2020-03 01/10/2020 Possible to send drafted messages as wrong agent CVE-2020-1767 LOW January 10, 2020 —

  • ID: OSA-2020-03
  • Date: 2020-01-10
  • Title: Possible to send drafted messages as wrong agent
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 7.0.14, OTRS 6.0.25
  • FULL CVSS v3.1 VECTOR: CVSS:3.
    read more
OTRS Security Advisory 2020-04 02/07/2020 External interface does not invalidate user session CVE-2020-1768 MEDIUM February 07, 2020 —

      • ID: OSA-2020-04
    • Date: 2020-02-07
  • Title: External interface does not invalidate user session
  • Sev
    read more
OTRS Security Advisory 2020-05 02/07/2020 Vulnerability in third-party library - jquery CVE-2019-11358 MEDIUM February 07, 2020 —

  • uid OTRS Security Team <security@otrs.org>
  • ID: OSA-2020-05
  • Date: 2020-02-07
  • Title: Vulnerability in third-party library - jquery
  • Severity: Medium
  • Product: OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 7.0.15, OTRS 6.0.26
  • FULL CVSS v3.0 VECTOR: 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<
    read more
OTRS Security Advisory 2020-06 03/27/2020 Autocomplete in the form login screens CVE-2020-1769 LOW March 27, 2020 —

  • ID: OSA-2020-06
  • Date: 2020-03-27
  • Title: Autocomplete in the form login screens
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.16, OTRS 6.0.27, OTRS 5.0.42
  • FULL CVSS VECTOR:
    read more
OTRS Security Advisory 2020-07 03/27/2020 Information disclosure in support bundle files CVE-2020-1770 LOW March 27, 2020 —

  • ID: OSA-2020-07
  • Date: 2020-03-27
  • Title: Information disclosure in support bundle files
  • Severity: 2.4 LOW
  • Product: OTRS 7.0.x, OTRS 6.0.x OTRS 5.0.x
  • Fixed in: OTRS 7.0.16, OTRS 6.0.27, OTRS 5.0.42
  • FULL CVSS
    read more
OTRS Security Advisory 2020-08 03/27/2020 Possible XSS in Customer user address book CVE-2020-1771 MEDIUM March 27, 2020 —

  • ID: OSA-2020-08
  • Date: 2020-03-27
  • Title: Possible XSS in Customer user address book
  • Severity: 4.6 MEDIUM
  • Product: OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 7.0.16, OTRS 6.0.27
  • FULL CVSS VECTOR: CVSS:3.1/AV:N/AC:
    read more
OTRS Security Advisory 2020-09 03/27/2020 Information Disclosure CVE-2020-1772 MEDIUM March 27, 2020 —

  • ID: OSA-2020-09
  • Date: 2020-03-27
  • Title: Information Disclosure
  • Severity: 6.5 MEDIUM
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.16, OTRS 6.0.27, 5.0.42
  • FULL CVSS VECTOR: CVSS:3.1/AV:N/AC:
    read more
OTRS Security Advisory 2020-10 03/27/2020 Session / Password token leak CVE-2020-1773 HIGH March 27, 2020 —

  • ID: OSA-2020-10
  • Date: 2020-03-27
  • Title: Session / Password token leak
  • Severity: 7.3 HIGH
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.16, OTRS 6.0.27, 5.0.42
  • FULL CVSS VECTOR: CVSS:3.1/AV:
    read more
OTRS Security Advisory 2020-11 04/27/2020 Information disclosure CVE-2020-1774 MEDIUM April 27, 2020 —

  • ID: OSA-2020-11
  • Date: 2020-04-24
  • Title: Information disclosure
  • Severity: 4.5 MEDIUM
  • Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
  • Fixed in: OTRS 7.0.17, OTRS 6.0.28
  • FULL CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/U
    read more
OTRS Security Advisory 2020-12 06/08/2020 Information disclosure CVE-2020-1775 LOW June 08, 2020 —

  • ID: OSA-2020-12
  • Date: 2020-06-08
  • Title: Information disclosure
  • Severity: 3.5. LOW
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 7.0.18, OTRS 8.0.4
  • FULL CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/
    read more
OTRS Security Advisory 2020-13 07/20/2020 Invalidating or changing user does not invalidate session CVE-2020-1776 LOW July 20, 2020 —

  • ID: OSA-2020-13
  • Date: 2020-07-20
  • Title: Invalidating or changing user does not invalidate session
  • Severity: 3.5 LOW
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 8.0.5 OTRS 7.0.19, OTRS 6.0.29
  • F
    read more
OTRS Security Advisory 2020-14 10/12/2020 Vulnerability in third-party library - jquery CVE-2020-11023, CVE-2020-11022 MEDIUM October 12, 2020 —

  • ID: OSA-2020-14
  • Date: 2020-10-12
  • Title: Vulnerability in third-party library - jquery
  • Severity: 6.3 MEDIUM, 6.5 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 8.0.7, OTRS 7.0.22, OTRS 6.0.30

  • read more
OTRS Security Advisory 2020-15 10/12/2020 Agent names disclosed in chat feature. CVE-2020-1777 MEDIUM October 12, 2020 —

  • ID: OSA-2020-15
  • Date: 2020-10-12
  • Title: Agent names disclosed in chat feature.
  • Severity: 4.3 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.7, OTRS 7.0.22
  • FULL CVSS VECTOR: CVSS:3.1/AV:N/AC:L/P
    read more
OTRS Security Advisory 2020-16 11/23/2020 Bypassing user account validation CVE-2020-1778 MEDIUM November 23, 2020 —

  • ID: OSA-2020-16
  • Date: 2020-11-23
  • Title: Bypassing user account validation
  • Severity: Medium
  • Product: OTRS 8.0.9
  • Fixed in: OTRS 8.0.10
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:Nread more
Attention! Maximum security risk with OTRS 4 and OTRS 5! 12/23/2020 HIGH Please read carefully and check if the version of your OTRS system is affected. Please be aware that OTRS 4 / OTRS 5 contains several severe security vulnerabilities, which could lead to GDPR related resource claims for you, when used. This release reached end of life and support and, there have been no further security updates since MAR 27th, 2020. Product Affected:
  • OTRS 4, OTRS 5,
  • ((OTRS)) Community Edition 4, ((OTRS)) Community Edition 5
 
read more
Attention! Security risk with OTRS 6! 12/23/2020 HIGH Please read carefully and check if the version of your OTRS system is affected. OTRS 6 has reached end of life and there will be no further security updates after JAN 1st, 2021. We want to point out that using the software exposes you to a high security risk! Product Affected:
  • OTRS 6,
  • ((OTRS)) Community Edition 6

read more
OTRS Security Advisory 2021-01 02/08/2021 XSS CVE-2021-21434 LOW

  • ID: OSA-2021-01
  • Date: 2021-02-08
  • Title: XSS
  • Severity: 3.5 LOW
  • Product: Survey 7.0.x, Survey 6.0.x
  • Fixed in: Survey 7.0.20
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
  • References: CVE-2021-
    read more
OTRS Security Advisory 2021-02 02/08/2021 Information exposure in PDF export CVE-2021-21435 MEDIUM

  • ID: OSA-2021-02
  • Date: 2021-02-08
  • Title: Information exposure in PDF export
  • Severity: 5.7 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 8.0.11, OTRS 7.0.24
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/U
    read more
OTRS Security Advisory 2021-03 02/08/2021 Dynamic templates reveal sensitive data when OTRS tags are used CVE-2020-1779 MEDIUM

  • ID: OSA-2021-03
  • Date: 2021-02-08
  • Title: Dynamic templates reveal sensitive data when OTRS tags are used
  • Severity: 4.3. MEDIUM
  • Product: OTRSTicketForms 6.0.40, OTRSTicketForms 7.0.29 and OTRSTicketForms 8.0.3
  • Fixed in: OTRSTicketForms 7
    read more
OTRS Security Advisory 2021-04 02/08/2021 Agent is able to link customer's Config Items without permission CVE-2021-21436 LOW

  • ID: OSA-2021-04
  • Date: 2021-02-08
  • Title: Agent is able to link customer's Config Items without permission
  • Severity: 3.5 LOW
  • Product: OTRSCIsInCustomerFrontend 7.0.14
  • Fixed in: OTRSCIsInCustomerFrontend 7.0.15
  • FULL CVSS v3.1
    read more
OTRS Security Advisory 2021-05 02/08/2021 Several Vulnerabilites in CKEditor CVE-2018-17960 MEDIUM

  • ID: OSA-2021-05
  • Date: 2021-02-08
  • Title: Several Vulnerabilites in CKEditor
  • Severity: 5.5 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 8.0.11, OTRS 7.0.24
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/U
    read more
OTRS Security Advisory 2021-06 03/22/2021 ReDoS vulnerability in thirdparty library (jquery-validate) CVE-2021-21252 MEDIUM

  • ID: OSA-2021-06
  • Date: 2021-03-22
  • Title: ReDoS vulnerability in thirdparty library (jquery-validate)
  • Severity: 5.3 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 8.0.12, OTRS 7.0.25
  • FULL CVSS v3.1 VECTOR:
    read more
OTRS Security Advisory 2021-07 03/22/2021 Config Items are shown to users without permission CVE-2021-21437 LOW

  • ID: OSA-2021-07
  • Date: 2021-03-22
  • Title: Config Items are shown to users without permission
  • Severity: 3.5 LOW
  • Product: ITSMConfigurationManagement 7.0.24 and OTRSCIsInCustomerFrontend 7.0.15
  • Fixed in: ITSMConfigurationManagement 7.0.25
    read more
OTRS Security Advisory 2021-08 03/22/2021 FAQ articles are shown to users without permission CVE-2021-21438 LOW

  • ID: OSA-2021-08
  • Date: 2021-03-22
  • Title: FAQ articles are shown to users without permission
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.24, and FAQ 6.0.29
  • Fixed in: OTRS 7.0.25
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U
    read more
OTRS Security Advisory 2021-09 06/14/2021 Possible DoS attack using a special crafted URL in email body CVE-2021-21439 MEDIUM

  • ID: OSA-2021-09
  • Date: 2021-06-14
  • Title: Possible DoS attack using a special crafted URL in email body
  • Severity: 6.5 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x,
  • Fixed in: OTRS 8.0.14, OTRS 7.0.27
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/
    read more
OTRS Security Advisory 2021-11 06/16/2021 XSS in the ticket overview screens CVE-2021-21441 HIGH

  • ID: OSA-2021-11
  • Date: 2021-06-16
  • Title: XSS in the ticket overview screens
  • Severity: 7.5 HIGH
  • Product: OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 7.0.27
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

  • read more
OTRS Security Advisory 2021-10 07/26/2021 Support Bundle includes S/Mime and PGP keys and secrets CVE-2021-21440, CVE-2021-36096 MEDIUM

  • ID: OSA-2021-10
  • Date: 2021-07-26 (initial), 2021-09-06 (update)
  • Title: Support Bundle includes S/Mime and PGP keys and secrets
  • Severity: 5.2 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.16, OTRS 7.0.29
  • FULL CVS
    read more
OTRS Security Advisory 2021-12 07/26/2021 Accounting CVE-2021-21442 MEDIUM

  • ID: OSA-2021-12
  • Date: 2021-07-26
  • Title: XSS vulnerability in Time Accounting
  • Severity: 4.5. MEDIUM
  • Product: TimeAccounting 7.0.x
  • Fixed in: TimeAccounting 7.0.20
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:
    read more
OTRS Security Advisory 2021-13 07/26/2021 Unautorized listing of the customer user emails CVE-2021-21443 LOW

  • ID: OSA-2021-13
  • Date: 2021-07-26
  • Title: Unautorized listing of the customer user emails
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS 6.0.x,
  • Fixed in: OTRS 7.0.28
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:
    read more
OTRS Security Advisory 2021-14 07/26/2021 Unautorized access to the calendar appointments CVE-2021-36091 LOW

  • ID: OSA-2021-14
  • Date: 2021-07-26
  • Title: Unautorized access to the calendar appointments
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 7.0.28
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N
    read more
OTRS Security Advisory 2021-15 07/26/2021 XSS attack using special link in email CVE-2021-36092 MEDIUM

  • ID: OSA-2021-15
  • Date: 2021-07-26
  • Title: XSS attack using special link in email
  • Severity: 6.5 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRS 6.0.x
  • Fixed in: OTRS 8.0.15, OTRS 7.0.28
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR
    read more
OTRS Security Advisory 2021-16 09/06/2021 DoS attack using PostMaster filters CVE-2021-36093 MEDIUM

  • ID: OSA-2021-16
  • Date: 2021-09-06
  • Title: DoS attack using PostMaster filters
  • Severity: 5.3 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.16, OTRS 7.0.29
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N
    read more
OTRS Security Advisory 2021-17 09/06/2021 XSS attack in appointment edit popup screen CVE-2021-36094 MEDIUM

  • ID: OSA-2021-17
  • Date: 2021-09-06
  • Title: XSS attack in appointment edit popup screen
  • Severity: 5.7. MEDIUM
  • Product: OTRS 7.0.x
  • Fixed in: OTRS 7.0.29
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

  • read more
OTRS Security Advisory 2021-18 09/06/2021 User enumeration issue using "lost password" feature CVE-2021-36095 MEDIUM

  • ID: OSA-2021-18
  • Date: 2021-09-06
  • Title: User enumeration issue using "lost password" feature
  • Severity: 5.3 MEDIUM
  • Product: OTRS 7.0.x
  • Fixed in: OTRS 7.0.29
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    read more
OTRS Security Advisory 2021-19 10/18/2021 Regular Expression Denial of Service in postcs CVE-2021-23368 MEDIUM

  • ID: OSA-2021-19
  • Date: 2021-10-18
  • Title: Regular Expression Denial of Service in postcs
  • Severity: 5.3 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.17, OTRS 7.0.30
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/U
    read more
OTRS Security Advisory 2021-20 10/18/2021 Agents are able to lock the ticket without the "Owner" permission CVE-2021-36097 LOW

  • ID: OSA-2021-20
  • Date: 2021-10-18
  • Title: Agents are able to lock the ticket without the "Owner" permission
  • Severity: 3.5 LOW
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 8.0.17
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C
    read more
OTRS Security Advisory 2022-01 02/07/2022 Dynamic field error message is vulnerable to XSS CVE-2022-0473 LOW

  • ID: OSA-2022-01
  • Date: 2021-02-07
  • Title: Dynamic field error message is vulnerable to XSS
  • Severity: 3.8 LOW
  • Product: OTRS 7.0.x
  • Fixed in: OTRS 7.0.32
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

  • read more
OTRS Security Advisory 2022-02 02/07/2022 Disclosure of mail addresses CVE-2022-0474 LOW

  • ID: OSA-2022-02
  • Date: 2022-02-07
  • Title: Disclosure of mail addresses
  • Severity: 2.4 LOW
  • Product: OTRSCustomContactFields 8.0.x,
  • Fixed in: OTRS 8.0.12
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

  • read more
OTRS Security Advisory 2022-04 02/07/2022 Several vulnerabilities in third-party npm modules CVE-2021-3803 / CVE-2021-3807 / CVE-2021-23368 MEDIUM

  • ID: OSA-2022-04
  • Date: 2022-02-07
  • Title: Several vulnerabilities in third-party npm modules
  • Severity: 5.8 MEDIUM
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 8.0.19
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:Lread more
OTRS Security Advisory 2022-03 03/21/2022 Authenticated remote code execution CVE-2021-36100 MEDIUM

  • ID: OSA-2022-03
  • Date: 2022-03-21
  • Title: Authenticated remote code execution
  • Severity: 6.4 MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRSSTORM 8.0.x, OTRSSTORM 7.0.x, OTRSSTORM 6.0.x, SystemMonitoring 8.0.x, SystemMonitoring 7.0.x, SystemMonitoring 6
    read more
OTRS Security Advisory 2022-05 03/21/2022 Possible XSS attack via translation CVE-2022-0475 LOW

  • ID: OSA-2022-05
  • Date: 2022-03-21
  • Title: Possible XSS attack via translation
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.33, OTRS 8.0.20
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:
    read more
OTRS Security Advisory 2022-06 03/21/2022 Information disclosure in the External Interface CVE-2022-1004 MEDIUM

  • ID: OSA-2022-06
  • Date: 2022-03-21
  • Title: Information disclosure in the External Interface
  • Severity:4.3 MEDIUM
  • Product: OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.33, OTRS 8.0.20
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/
    read more
OTRS Security Advisory 2022-07 06/13/2022 OTRS version number is always in the exported ICS files CVE-2022-32739 LOW

  • ID: OSA-2022-07
  • Date: 2022-06-13
  • Title: OTRS version number is always in the exported ICS files
  • Severity: 3.5. LOW
  • Product: OTRS 8.0.x, OTRS 7.0.x, OTRSCalendarResourcePlanning 8.0.x, OTRSCalendarResourcePlanning 7.0.x.
  • Fixed in: OTRS
    read more
OTRS Security Advisory 2022-08 06/13/2022 Information disclosure in the External Interface CVE-2022-32740 LOW

  • ID: OSA-2022-08
  • Date: 2022-06-13
  • Title: Information disclosure in the External Interface
  • Severity: 3.5 LOW
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.23, OTRS 7.0.35,
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/U
    read more
OTRS Security Advisory 2022-09 06/13/2022 Information disclosure in Request New Password feature CVE-2022-32741 MEDIUM

  • ID: OSA-2022-09
  • Date: 2022-06-13
  • Title: Information disclosure in Request New Password feature
  • Severity: 5.3. MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.23, OTRS 7.0.35,
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/A
    read more
OTRS Security Advisory 2022-10 09/05/2022 Possible XSS in Admin Interface CVE-2022-39049 LOW

  • ID: OSA-2022-10
  • Date: 2022-09-05
  • Title: Possible XSS in Admin Interface
  • Severity: 3.5 LOW
  • Product: ((OTRS)) Community Edition 6.0.x, OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.37, OTRS 8.0.25
  • FULL CVSS v3.1 VECTOR: read more
OTRS Security Advisory 2022-11 09/05/2022 Possible XSS stored in customer information CVE-2022-39050 MEDIUM

  • ID: OSA-2022-11
  • Date: 2022-09-05
  • Title: Possible XSS stored in customer information
  • Severity: 4.6. MEDIUM
  • Product: ((OTRS)) Community Edition 6.0.x, OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.37, OTRS 8.0.25
  • FULL CVSS v3.1 V
    read more
OTRS Security Advisory 2022-12 09/05/2022 Perl Code execution in Template Toolkit CVE-2022-39051 MEDIUM

  • ID: OSA-2022-12
  • Date: 2022-09-05
  • Title: Perl Code execution in Template Toolkit
  • Severity: 6.8 MEDIUM
  • Product: ((OTRS)) Community Edition 6.0.x, OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 8.0.25, OTRS 7.0.37,
  • FULL CVSS v3.1 VECTO
    read more
OTRS Security Advisory 2022-13 10/17/2022 DoS attack using email CVE-2022-39052 HIGH

  • ID: OSA-2022-13
  • Date: 2022-10-17
  • Title: DoS attack using email
  • Severity: 7.5.HIGH
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.26, OTRS 7.0.39,
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  • read more
OTRS Security Advisory 2022-14 10/17/2022 Information exposure of template content due to missing check of permissions CVE-2022-3501 LOW

  • ID: OSA-2022-14
  • Date: 2022-10-17
  • Title: Information exposure of template content due to missing check of permissions
  • Severity: 3.5 LOW
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 8.0.26
  • FULL CVSS v3.1 VECTOR: CVSS: CVSS:3.1/AV:N/AC:
    read more
OTRS Security Advisory 2022-15 12/19/2022 Improper Input Validation vulnerability in OTRS and ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice CVE-2022-4427 MEDIUM

  • ID: OSA-2022-15
  • Date: 2022-12-19
  • Title: SQL Injection via OTRS Search API
  • Severity: 6.5. MEDIUM
  • Product: OTRS 8.0.x, OTRS 7.0.x
  • Fixed in: OTRS 8.0.28 Patch 1 or OTRS 7.0.40 Patch 1
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/
    read more
OTRS Security Advisory 2023-01 03/20/2023 Possible XSS in Ticket Actions CVE-2023-1248 MEDIUM

  • ID: OSA-2023-01
  • Date: 2023-03-20
  • Title: Possible XSS in Ticket Actions
  • Severity: 5.4 MEDIUM
  • Product: OTRS 7.0.x
  • Fixed in: OTRS 7.0.42
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • Reference
    read more
OTRS Security Advisory 2023-02 03/20/2023 Code execution through ACL creation CVE-2023-1250 HIGH

  • ID: OSA-2023-02
  • Date: 2023-03-20
  • Title: Code execution through ACL creation
  • Severity: 7.4 HIGH
  • Product: OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.42, OTRS 8.0.31
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I
    read more
OTRS Security Advisory 2023-03 05/08/2023 Information disclouse and DoS via websocket push events CVE-2023-2534 HIGH

  • ID: OSA-2023-03
  • Date: 2023-05-08
  • Title: Information disclouse and DoS via websocket push events
  • Severity: 7.6 HIGH
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 8.0.32
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:
    read more
OTRS Security Advisory 2023-04 07/24/2023 Host header injection by attachments in web service CVE-2023-38060 MEDIUM

  • ID: OSA-2023-04
  • Date: 2023-07-24
  • Title: Host header injection by attachments in web service
  • Severity: 6.3 MEDIUM
  • Product: ((OTRS)) Community Edition 6.0.x, OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.45, OTRS 8.0.35
  • CVSS:3.1/
    read more
OTRS Security Advisory 2023-05 07/24/2023 Code execution via System Configuration CVE-2023-38056 HIGH

  • D: OSA-2023-05
  • Date: 2023-07-24
  • Title: Code execution via System Configuration
  • Severity: 7.2 HIGH
  • Product: ((OTRS)) Community Edition 6.0.x, OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.45, OTRS 8.0.35
  • CVSS:3.1/AV:N/AC:L/PR:H/
    read more
OTRS Security Advisory 2023-06 07/24/2023 Possible XSS stored in survey answers CVE-2023-38057 MEDIUM

  • ID: OSA-2023-06
  • Date: 2023-07-24
  • Title: Possible XSS stored in survey answers
  • Severity: 4.1 MEDIUM
  • Product: Survey 6.0.x, Survey 7.0.x, Survey 8.0.x
  • Fixed in: Survey 7.0.32, Survey 8.0.13
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:
    read more
OTRS Security Advisory 2023-07 07/24/2023 Tickets can be moved without permission CVE-2023-38058 MEDIUM

  • ID: OSA-2023-07
  • Date: 2023-07-24
  • Title: Tickets can be moved without permission
  • Severity: 4.1 MEDIUM
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 8.0.35
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
  • References: CVE-2023-38
    read more
OTRS Security Advisory 2023-08 10/16/2023 External pictures can be loaded even if not allowed by configuration CVE-2023-38059 MEDIUM

  • ID: OSA-2023-08
  • Date: 2023-10-16
  • Title: External pictures can be loaded even if not allowed by configuration
  • Severity: 5.3 MEDIUM
  • Product: OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.47, OTRS 8.0.37
  • CVSS: CVSS:3.1/AV:N/AC:L/P
    read more
OTRS Security Advisory 2023-09 10/16/2023 Possible XSS execution in customer information CVE-2023-5421 LOW

  • ID: OSA-2023-09
  • Date: 2023-10-16
  • Title: Possible XSS execution in customer information
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.47, OTRS 8.0.37
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:A/AC:L/PR:H/UI:N
    read more
OTRS Security Advisory 2023-10 10/16/2023 SSL Certificates are not checked for E-Mail Handling CVE-2023-5422 HIGH

  • ID: OSA-2023-10
  • Date: 2023-10-16
  • Title: SSL Certificates are not checked for E-Mail Handling
  • Severity: 8.7 HIGH
  • Product: OTRS 7.0.x, OTRS 8.0.x
  • Fixed in: OTRS 7.0.47, OTRS 8.0.37
  • CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I
    read more
OTRS Security Advisory 2023-11 11/27/2023 Password is sent back to client CVE-2023-6254 HIGH

  • ID: OSA-2023-11
  • Date: 2023-11-07
  • Title: Password is send back to client
  • Severity: 8.1 HIGH
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 2023.1.1
  • CVSS: FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Re
    read more
OTRS Security Advisory 2024-01 01/29/2024 Missing file type check in avatar picture upload CVE-2024-23790 LOW

  • ID: OSA-2024-01
  • Date: 2024-01-29
  • Title: Missing file type check in avatar picture upload
  • Severity: 3.5 LOW
  • Product: OTRS 7.0.x, OTRS
  • Fixed in: OTRS 7.0.49, OTRS 2024.1.1
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S
    read more
OTRS Security Advisory 2024-02 01/29/2024 Unnecessary data is written to log if issues during indexing occurs CVE-2024-23791 MEDIUM

  • ID: OSA-2024-02
  • Date: 2024-01-29
  • Title: Unnecessary data is written to log if issues during indexing occurs
  • Severity: 4.9 MEDIUM
  • Product: OTRS 7.0.x, OTRS
  • Fixed in: OTRS 7.0.49, OTRS 2024.1.1
  • FULL CVSS v3.1 VECTOR: CVSS:3.1
    read more
OTRS Security Advisory 2024-03 01/29/2024 Insufficient access control CVE-2024-23792 MEDIUM
  • ID: OSA-2024-03
  • Date: 2024-01-29
  • Title: Insufficient access control
  • Severity: 5.3 MEDIUM
  • Product: OTRS 7.0.x, OTRS
  • Fixed in: OTRS 7.0.49, OTRS 2024.1.1
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
  • Re
    read more
OTRS Security Advisory 2024-04 01/29/2024 A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor CVE-2021-33829 MEDIUM

  • ID: OSA-2024-04
  • Date: 2024-01-29
  • Title: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor
  • Severity: 6.1 MEDIUM
  • Product: OTRS 7.0.x, OTRS, ((OTRS)) Community Edition
  • Fixed in: OTRS 7.0.49, OTRS 2024.1.1,
    read more
OTRS Security Advisory 2024-05 06/03/2024 Upload of files outside application directory CVE-2024-23793 MEDIUM

  • ID: OSA-2024-05
  • Date: 2024-06-03
  • Title: Possible remote code execution in uploaded filenames
  • Severity (CVSS v3.1): 6.3 MEDIUM
  • Severity (CVSS v4.0): 6.8 MEDIUM
  • Urgency: Moderate
  • Products: OTRS, ((OTRS)) Community Editionread more
Release name Release date Titel References Risk level Excerpt