CVE-2017-17476
HIGHOTRS 4.0.x < 4.0.28, 5.0.x < 5.0.26, 6.0.x < 6.0.3 - Session Hijacking via Crafted Email
Title source: llmDescription
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
References (6)
Core 6
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
Patch, Vendor Advisory x_refsource_confirm
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
Patch, Third Party Advisory x_refsource_confirm
https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4069
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
Scores
CVSS v3
8.8
EPSS
0.0222
EPSS Percentile
80.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
Status
published
Products (4)
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
otrs/otrs
4.0.0 - 4.0.28
Published
Dec 20, 2017
Tracked Since
Feb 18, 2026