OTRS Home
OTRS Software Solutions

Customizable Software

OTRS

OTRS is flexible and customizable software with out-of-the-box solutions for all service management needs.

Features

Service Levels

How To Buy

OTRS On-Premise & Managed Comparison

((OTRS)) Community Edition

WhatsApp Integration for OTRS

OTRS App

Solutions for

Customer Service & Support

Boost customer satisfaction very rapidly – never miss requests, lower the response time (MTTR)

IT Service Management

Support for your IT department with automated, ITIL4-compliant processes

Office Management

Automate office management processes with our software solution

HR Management

Support your HR team with numerous processes, such as application or leave management

Cyber Defense & Security Incidents – STORM

The solution for fast security orchestration, automation, and incident response

Roadmap & Release Cycle

Release Notes

Security Advisories
Use Cases
Service Management
Customer Service Software
Help Desk
ITSM – IT Service Management

Security Management
Corporate Security
Security Incident Management
Vulnerability Management
ISMS
ISO 27001 Certification

Task Management
Ticketing System
Issue Tracking System
Asset Management
CMDB

Technology Management
BPMS – Business Process Management Software

Knowledge Management
Knowledge Management in Customer Service
Services

Services

Services

Consulting, training, customer service: Find official OTRS services

FAQ

OTRS Trainings

Webinars about OTRS

Get useful information about the latest OTRS version. Watch how OTRS works.

Public Trainings

Stay up-to-date with your knowledge about OTRS. Book a public training.

Academy

The Academy offers training classes to help teams and admins maximize the use of their OTRS instance.

Customer Portal

Contact Sales

Contact Consulting

Contact Customer Service
Success Stories
OTRSmag
Contact

Release Note

OTRS Security Advisory 2020-01

January 10, 2020 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

pub 2048R/9C227C6B 2011-03-21
uid OTRS Security Team <security@otrs.org>
GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

ID: OSA-2020-01
Date: 2020-01-10
Title: Spoofing of From field in several screens
Severity: 3.5. LOW
Product: OTRS 7.0.x, ((OTRS)) Community Edition 6.0.x, ((OTRS)) Community Edition 5.0.x
Fixed in: OTRS 7.0.14, ((OTRS)) Community Edition 6.0.25, ((OTRS)) Community Edition 5.0.40
FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
References: CVE-2020-1765

OSA-2020-01 Spoofing of From field in several screens (CVE-2020-1765)

Product Affected:

This issue affects ((OTRS)) Community Edition 5.0.x, 6.0.x. This issue affects OTRS 7.0.x.

Problem:

An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound.

This issue affects:

((OTRS)) Community Edition
5.0.x version 5.0.39 and prior versions;
6.0.x version 6.0.24 and prior versions.

OTRS
7.0.x version 7.0.13 and prior versions.

This issue was discovered during an external security research.
This issue has been assigned CVE-2020-1765.

Solution:

Upgrade to OTRS 7.0.14, ((OTRS)) Community Edition 6.0.25, ((OTRS)) Community Edition 5.0.40

Patch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/d146d4997cbd6e1370669784c6a2ec8d64655252

Patch for ((OTRS)) Community Edition 5: https://github.com/OTRS/otrs/commit/874889b86abea4c01ceb1368a836b66694fae1c3

Modification History:

2020-01-10: Initial Publication.

Related Links:

CVE-2020-1765 at cve.mitre.org

CVSS Score:

3.5 ( CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Risk Level:

LOW

Acknowledgments:

Sebastian Renker, Jonas Becker