CVE-2019-9892

MEDIUM

OTRS <5.0.34, <6.0.17, <7.0.6 - Info Disclosure

Title source: llm

Description

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.

References (5)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html

[Vendor Advisory] https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/

[Broken Link] http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html

[Broken Link] http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html

[Broken Link] http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html

Scores

CVSS v3 6.5

EPSS 0.0043

EPSS Percentile 62.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-91

Status published

Products (2)

debian/debian_linux 8.0

otrs/otrs 5.0.0 - 5.0.34

Published May 22, 2019

Tracked Since Feb 18, 2026