CVE-2019-12746

MEDIUM

OTRS 5.0.0-5.0.36 - Exposure of Sensitive Information via Embedded Ticket Article Link

Title source: llm

Description

An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.

References (7)

Core 7

Core References

Broken Link vendor-advisory

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html

Broken Link vendor-advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html

Broken Link vendor-advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Patch, Vendor Advisory

https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html

Release Notes

https://www.otrs.com/category/release-and-security-notes-en/

Scores

CVSS v3 6.5

EPSS 0.0202

EPSS Percentile 78.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

debian/debian_linux 8.0

otrs/otrs 5.0.0 - 5.0.36

Published Aug 21, 2019

Tracked Since Feb 18, 2026