FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e3e788aa-e9fd-11e2-a96e-60a44c524f57otrs -- Sql Injection + Xss Issue

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.


Discovery 2013-07-09
Entry 2013-07-11
otrs
lt 3.2.9

CVE-2013-4717
CVE-2013-4718
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/
95a69d1a-52a5-11e2-a289-1c4bd681f0cfotrs -- XSS vulnerability in Firefox and Opera

OTRS Security Advisory reports:

This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email in Firefox and Opera. In this case this is achieved with an invalid HTML structure with nested tags.


Discovery 2012-08-30
Entry 2012-12-30
otrs
lt 3.1.10

CVE-2012-4600
http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-02/
a5b24a6b-c37c-11e2-addb-60a44c524f57otrs -- information disclosure

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets and they are not permitted to see.


Discovery 2013-05-22
Entry 2013-05-23
otrs
lt 3.2.7

CVE-2013-3551
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/
cebd05d6-ed7b-11e7-95f2-005056925db4OTRS -- Multiple vulnerabilities

OTRS reports:

An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user.

An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets.

An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.

An attacker can send a specially prepared email to an OTRS system. If this system has cookie support disabled, and a logged in agent clicks a link in this email, the session information could be leaked to external systems, allowing the attacker to take over the agent’s session.


Discovery 2017-11-21
Entry 2017-12-30
otrs
lt 5.0.26

CVE-2017-16664
CVE-2017-16854
CVE-2017-16921
ports/224729
https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/
https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
a4372a68-652c-11e0-a25a-00151735203aOTRS -- Several XSS attacks possible

OTRS Security Advisory reports:

  • Several XSS attacks possible: An attacker could trick a logged in user to following a prepared URL inside of the OTRS system which causes a page to be shown that possibly includes malicious !JavaScript code because of incorrect escaping during the generation of the HTML page.

Discovery 2011-03-12
Entry 2011-04-12
otrs
gt 2.3.* lt 3.0.7

CVE-2011-1518
http://otrs.org/advisory/OSA-2011-01-en/
13320091-52a6-11e2-a289-1c4bd681f0cfotrs -- XSS vulnerability

OTRS Security Advisory reports:

This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email. In this case this is achieved by using javascript source attributes with whitespaces.


Discovery 2012-10-16
Entry 2012-12-30
otrs
lt 3.1.11

CVE-2012-4751
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
http://www.kb.cert.org/vuls/id/603276
70b72a52-9e54-11e3-babe-60a44c524f57otrs -- XSS Issue

The OTRS Project reports:

An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed.


Discovery 2014-02-25
Entry 2014-02-25
otrs
lt 3.1.20

gt 3.2.* lt 3.2.15

gt 3.3.* lt 3.3.5

https://www.otrs.com/security-advisory-2014-03-xss-issue/
CVE-2014-1695
661bd031-c37d-11e2-addb-60a44c524f57otrs -- XSS vulnerability

The OTRS Project reports:

An attacker with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.


Discovery 2013-04-02
Entry 2013-05-23
otrs
lt 3.1.8

CVE-2013-2637
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/
8b97d289-d8cf-11e2-a1f5-60a44c524f57otrs -- information disclosure

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets they are not permitted to see.


Discovery 2013-06-18
Entry 2013-06-19
otrs
lt 3.2.8

CVE-2013-4088
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
c7b5d72b-886a-11e3-9533-60a44c524f57otrs -- multiple vulnerabilities

The OTRS Project reports:

SQL injection issue

An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks.


Discovery 2014-01-28
Entry 2014-01-28
Modified 2014-02-06
otrs
lt 3.1.19

gt 3.2.* lt 3.2.14

gt 3.3.* lt 3.3.4

CVE-2014-1471
https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
86baa0d4-c997-11e0-8a8e-00151735203aOTRS -- Vulnerabilities in OTRS-Core allows read access to any file on local file system

OTRS Security Advisory reports:

  • An attacker with valid session and admin permissions could get read access to any file on the servers local operating system. For this it would be needed minimum one installed OTRS package.

Discovery 2011-08-16
Entry 2011-08-18
otrs
gt 2.1.* lt 3.0.10

CVE-2011-2746
http://otrs.org/advisory/OSA-2011-03-en/
96e776c7-e75c-11df-8f26-00151735203aOTRS -- Multiple XSS and denial of service vulnerabilities

OTRS Security Advisory reports:

  • Multiple Cross Site Scripting issues: Missing HTML quoting allows authenticated agents or customers to inject HTML tags. This vulnerability allows an attacker to inject script code into the OTRS web-interface which will be loaded and executed in the browsers of system users.
  • Possible Denial of Service Attack: Perl's regular expressions consume 100% CPU time on the server if an agent or customer views an affected article. To exploit this vulnerability the malicious user needs to send extremely large HTML emails to your system address.

AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:

Whenever a customer sends an HTML e-mail and RichText is enabled in OTRS, javascript contained in the email can do everything in the OTRS agent interface that the agent himself could do.

Most relevant is that this type of exploit can be used in such a way that the agent won't even detect he is being exploited.


Discovery 2010-09-15
Entry 2010-11-03
otrs
gt 2.3.* lt 2.4.9

CVE-2010-2080
CVE-2010-4071
http://otrs.org/advisory/OSA-2010-02-en/
http://otrs.org/advisory/OSA-2010-03-en/
49a6026a-52a3-11e2-a289-1c4bd681f0cfotrs -- XSS vulnerability in Internet Explorer

OTRS Security Advisory reports:

This advisory covers vulnerabilities discovered in the OTRS core system. Due to the XSS vulnerability in Internet Explorer an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your Internet Explorer while displaying the email.


Discovery 2012-08-22
Entry 2012-12-30
otrs
lt 3.1.9

CVE-2012-2582
http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-01/
ffa7c6e4-bb29-11e3-8136-60a44c524f57otrs -- Clickjacking issue

The OTRS Project reports:

An attacker could embed OTRS in a hidden iframe tag of another page, tricking the user into clicking links in OTRS.


Discovery 2014-04-01
Entry 2014-04-03
otrs
lt 3.1.21

gt 3.2.* lt 3.2.16

gt 3.3.* lt 3.3.6

http://www.w3.org/1999/xhtml
CVE-2014-2554
eae8e3cf-9dfe-11e2-ac7f-001fd056c417otrs -- Information disclosure and Data manipulation

The OTRS Project reports:

An attacker with a valid agent login could manipulate URLs in the object linking mechanism to see titles of tickets and other objects that are not obliged to be seen. Furthermore, links to objects without permission can be placed and removed.


Discovery 2013-04-02
Entry 2013-04-05
otrs
lt 3.1.14

CVE-2013-2625
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/