otrs-3.3.16-37.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10073 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z otrs-3.3.16-37.1 on GA media These are all security issues fixed in the otrs-3.3.16-37.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10073 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10073 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2012-2582/ SUSE CVE CVE-2012-2582 page https://www.suse.com/security/cve/CVE-2012-4600/ SUSE CVE CVE-2012-4600 page https://www.suse.com/security/cve/CVE-2012-4751/ SUSE CVE CVE-2012-4751 page https://www.suse.com/security/cve/CVE-2013-2625/ SUSE CVE CVE-2013-2625 page https://www.suse.com/security/cve/CVE-2013-2637/ SUSE CVE CVE-2013-2637 page https://www.suse.com/security/cve/CVE-2013-3551/ SUSE CVE CVE-2013-3551 page https://www.suse.com/security/cve/CVE-2013-4088/ SUSE CVE CVE-2013-4088 page https://www.suse.com/security/cve/CVE-2013-4717/ SUSE CVE CVE-2013-4717 page https://www.suse.com/security/cve/CVE-2013-4718/ SUSE CVE CVE-2013-4718 page https://www.suse.com/security/cve/CVE-2014-1695/ SUSE CVE CVE-2014-1695 page https://www.suse.com/security/cve/CVE-2014-2553/ SUSE CVE CVE-2014-2553 page https://www.suse.com/security/cve/CVE-2014-2554/ SUSE CVE CVE-2014-2554 page https://www.suse.com/security/cve/CVE-2014-9324/ SUSE CVE CVE-2014-9324 page https://www.suse.com/security/cve/CVE-2016-9139/ SUSE CVE CVE-2016-9139 page openSUSE Tumbleweed otrs-3.3.16-37.1 otrs-doc-3.3.16-37.1 otrs-itsm-3.3.14-37.1 otrs-3.3.16-37.1 as a component of openSUSE Tumbleweed otrs-doc-3.3.16-37.1 as a component of openSUSE Tumbleweed otrs-itsm-3.3.14-37.1 as a component of openSUSE Tumbleweed Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element. CVE-2012-2582 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-2582.html CVE-2012-2582 https://bugzilla.suse.com/776966 SUSE Bug 776966 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags. CVE-2012-4600 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4600.html CVE-2012-4600 https://bugzilla.suse.com/778655 SUSE Bug 778655 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element. CVE-2012-4751 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4751.html CVE-2012-4751 https://bugzilla.suse.com/791014 SUSE Bug 791014 An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, and 3.0.19, OTRS ITSM before 3.2.3, 3.1.8, and 3.0.7, and FAQ before 2.2.3, 2.1.4, and 2.0.8. Access rights by the object linking mechanism is not verified CVE-2013-2625 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2625.html CVE-2013-2625 A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code. CVE-2013-2637 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2637.html CVE-2013-2637 Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism. CVE-2013-3551 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-3551.html CVE-2013-3551 https://bugzilla.suse.com/864613 SUSE Bug 864613 Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism. CVE-2013-4088 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4088.html CVE-2013-4088 Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. CVE-2013-4717 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4717.html CVE-2013-4717 https://bugzilla.suse.com/828850 SUSE Bug 828850 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search. CVE-2013-4718 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4718.html CVE-2013-4718 https://bugzilla.suse.com/828850 SUSE Bug 828850 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. CVE-2014-1695 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1695.html CVE-2014-1695 https://bugzilla.suse.com/866476 SUSE Bug 866476 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields. CVE-2014-2553 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2553.html CVE-2014-2553 https://bugzilla.suse.com/871758 SUSE Bug 871758 OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. CVE-2014-2554 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-2554.html CVE-2014-2554 https://bugzilla.suse.com/871758 SUSE Bug 871758 The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors. CVE-2014-9324 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9324.html CVE-2014-9324 https://bugzilla.suse.com/910988 SUSE Bug 910988 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment. CVE-2016-9139 openSUSE Tumbleweed:otrs-3.3.16-37.1 openSUSE Tumbleweed:otrs-doc-3.3.16-37.1 openSUSE Tumbleweed:otrs-itsm-3.3.14-37.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9139.html CVE-2016-9139 https://bugzilla.suse.com/1008017 SUSE Bug 1008017