Description
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html
Vendor Advisory x_refsource_confirm
https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
Scores
CVSS v3
6.5
EPSS
0.0110
EPSS Percentile
61.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-91
Status
published
Products (2)
debian/debian_linux
8.0
otrs/otrs
5.0.0 - 5.0.34
Published
May 22, 2019
Tracked Since
Feb 18, 2026