Overview Details Repositories Revisions Requests Users Attributes Meta
Security update for otrs

This update for otrs to version 4.0.32 fixes the following issues:

These security issues were fixed:

- CVE-2018-16586: An attacker could have sent a malicious email to an OTRS
system. If a logged in user opens it, the email could have caused the browser
to load external image or CSS resources (bsc#1109822).
- CVE-2018-16587: An attacker could have sent a malicious email to an OTRS
system. If a user with admin permissions opens it, it caused deletions of
arbitrary files that the OTRS web server user has write access to
(bsc#1109823).
- CVE-2018-14593: An attacker who is logged into OTRS as an agent may have
escalated their privileges by accessing a specially crafted URL (bsc#1103800).

These non-security issues were fixed:

- fixed permissions file @OTRS_ROOT@/var/tmp -> @OTRS_ROOT@/var/tmp/
- ACL for Action AgentTicketBulk were inconsistent.

Fixed bugs
bnc#1103800
VUL-1: CVE-2018-14593: otrs: An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is loggedinto OTRS as an agent may escalate their privileges by access
bnc#1109822
VUL-1: CVE-2018-16586: otrs: Loading External Image or CSS Resources (OSA-2018-05)
bnc#1109823
VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)
CVE-2018-16586
CVE-2018-14593
CVE-2018-16587
Selected Binaries
openSUSE Build Service is sponsored by
Places