Description
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
Exploits (2)
nomisec
WORKING POC
by Smarttfoxx · poc
https://github.com/Smarttfoxx/OTRS-4.0.1-6.0.1-Remote-Command-Execution
References (5)
Core 5
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html
Exploit, Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/43853/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4066
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/162295/OTRS-6.0.1-Remote-Command-Execution.html
Scores
CVSS v3
8.8
EPSS
0.3387
EPSS Percentile
97.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (43)
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
otrs/otrs
4.0.1
otrs/otrs
4.0.2
otrs/otrs
4.0.3
otrs/otrs
4.0.4
otrs/otrs
4.0.5
otrs/otrs
4.0.6
otrs/otrs
4.0.7
... and 33 more
Published
Dec 08, 2017
Tracked Since
Feb 18, 2026