Input validation error in OTRS

#VU31198 Input validation error in OTRS

Published: 2018-09-28 | Updated: 2020-07-17

Vulnerability identifier: #VU31198

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16586

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OTRS
Web applications / Other software

Vendor: otrs.org

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OTRS: 6.0.0 - 6.0.10

External links
http://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/
http://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963
http://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7
http://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302
http://lists.debian.org/debian-lts-announce/2018/09/msg00033.html
http://www.debian.org/security/2018/dsa-4317

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in otrs (Alpine package)

OpenSUSE Linux update for otrs

Multiple vulnerabilities in otrs OTRS