-------------------------------------------------------------------------
Debian LTS Advisory DLA-3551-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
August 31, 2023                               https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : otrs2
Version        : 6.0.16-2+deb10u1
CVE ID         : CVE-2019-11358 CVE-2019-12248 CVE-2019-12497 CVE-2019-12746
                 CVE-2019-13458 CVE-2019-16375 CVE-2019-18179 CVE-2019-18180
                 CVE-2020-1765 CVE-2020-1766 CVE-2020-1767 CVE-2020-1769
                 CVE-2020-1770 CVE-2020-1771 CVE-2020-1772 CVE-2020-1773
                 CVE-2020-1774 CVE-2020-1776 CVE-2020-11022 CVE-2020-11023
                 CVE-2021-21252 CVE-2021-21439 CVE-2021-21440 CVE-2021-21441
                 CVE-2021-21443 CVE-2021-36091 CVE-2021-36100 CVE-2021-41182
                 CVE-2021-41183 CVE-2021-41184 CVE-2022-4427 CVE-2023-38060
Debian Bug     : 945251 959448 980891 989992 991593

Multiple vulnerabilities were found in otrs2, the Open-Source Ticket
Request System, which could lead to impersonation, denial of service,
information disclosure, or execution of arbitrary code.

CVE-2019-11358

    A Prototype Pollution vulnerability was discovered in OTRS' embedded
    jQuery 3.2.1 copy, which could allow sending drafted messages as
    wrong agent.

    This vulnerability is also known as OSA-2020-05.

CVE-2019-12248

    Matthias Terlinde discovered that when an attacker sends a malicious
    email to an OTRS system and a logged in agent user later quotes it,
    the email could cause the browser to load external image resources.

    A new configuration setting ‘Ticket::Frontend::BlockLoadingRemoteContent’
    has been added as part of the fix.  It controls whether external
    content should be loaded, and it is disabled by default.

    This vulnerability is also known as OSA-2019-08.

CVE-2019-12497

    Jens Meister discovered that in the customer or external frontend,
    personal information of agents, like Name and mail address in
    external notes, could be disclosed.

    New configuration settings ‘Ticket::Frontend::CustomerTicketZoom###DisplayNoteFrom’
    has been added as part of the fix.  It controls if agent information
    should be displayed in external note sender field, or be substituted
    with a different generic name.  Another option named
    ‘Ticket::Frontend::CustomerTicketZoom###DefaultAgentName’ can then
    be used to define the generic agent name used in the latter case.
    By default, previous behavior is preserved, in which agent
    information is divulged in the external note From field, for the
    sake of backwards compatibility.

    This vulnerability is also known as OSA-2019-09.

CVE-2019-12746

    A user logged into OTRS as an agent might unknowingly disclose their
    session ID by sharing the link of an embedded ticket article with
    third parties.  This identifier can be then potentially abused in
    order to impersonate the agent user.

    This vulnerability is also known as OSA-2019-10.

CVE-2019-13458

    An attacker who is logged into OTRS as an agent user with
    appropriate permissions can leverage OTRS tags in templates in order
    to disclose hashed user passwords.

    This vulnerability is also known as OSA-2019-12.

CVE-2019-16375

    An attacker who is logged into OTRS as an agent or customer user
    with appropriate permissions can create a carefully crafted string
    containing malicious JavaScript code as an article body.  This
    malicious code is executed when an agent compose an answer to the
    original article.

    This vulnerability is also known as OSA-2019-13.

CVE-2019-18179

    An attacker who is logged into OTRS as an agent is able to list
    tickets assigned to other agents, which are in the queue where
    attacker doesn't have permissions.

    This vulnerability is also known as OSA-2019-14.

CVE-2019-18180

    OTRS can be put into an endless loop by providing filenames with
    overly long extensions.  This applies to the PostMaster (sending in
    email) and also upload (attaching files to mails, for example).

    This vulnerability is also known as OSA-2019-15.

CVE-2020-1765

    Sebastian Renker and Jonas Becker discovered an improper control of
    parameters, which allows the spoofing of the From fields in several
    screens, namely AgentTicketCompose, AgentTicketForward,
    AgentTicketBounce and AgentTicketEmailOutbound.

    This vulnerability is also known as OSA-2020-01.

CVE-2020-1766

    Anton Astaf'ev discovered that due to improper handling of uploaded
    images, it is possible — in very unlikely and rare conditions — to
    force the agents browser to execute malicious JavaScript from a
    special crafted SVG file rendered as inline jpg file.

    This vulnerability is also known as OSA-2020-02.

CVE-2020-1767

    Agent A is able to save a draft (i.e., for customer reply).  Then
    Agent B can open the draft, change the text completely and send it
    in the name of Agent A.  For the customer it will not be visible
    that the message was sent by another agent.

    This vulnerability is also known as OSA-2020-03.

CVE-2020-1769

    Martin Møller discovered that in the login screens (in agent and
    customer interface), Username and Password fields use autocomplete,
    which might be considered as security issue.

    A new configuration setting ‘DisableLoginAutocomplete’ has been
    added as part of the fix.  It controls whether to disable
    autocompletion in the login forms, by setting the
    autocomplete="off" attribute to the login input fields.  Note that
    some browsers ignore it by default (usually it can be changed in the
    browser configuration).

    This vulnerability is also known as OSA-2020-06.

CVE-2020-1770

    Matthias Terlinde discovered that the support bundle generated files
    could contain sensitive information, such as user credentials.

    This vulnerability is also known as OSA-2020-07.

CVE-2020-1771

    Christoph Wuetschne discovered that an attacker is able craft an
    article with a link to the customer address book with malicious
    content (JavaScript).  When agent opens the link, JavaScript code is
    executed due to the missing parameter encoding.

    This vulnerability is also known as OSA-2020-08.

CVE-2020-1772

    Fabian Henneke discovered that it is possible to craft Lost Password
    requests with wildcards in the Token value, which allows an attacker
    to retrieve valid Token(s), generated by users which already
    requested new passwords.

    This vulnerability is also known as OSA-2020-09.

CVE-2020-1773

    Fabian Henneke discovered that an attacker with the ability to
    generate session IDs or password reset tokens, either by being able
    to authenticate or by exploiting CVE-2020-1772, may be able to
    predict other users session IDs, password reset tokens and
    automatically generated passwords.

    The fix adds ‘libmath-random-secure-perl’ to otrs2's Depends:.

    This vulnerability is also known as OSA-2020-10.

CVE-2020-1774

    When a user downloads PGP or S/MIME keys/certificates, exported file
    has same name for private and public keys.  It is therefore possible
    to mix them and to send private key to the third-party instead of
    public key.

    This vulnerability is also known as OSA-2020-11.

CVE-2020-1776

    When an agent user is renamed or set to invalid the session
    belonging to the user is keept active.  The session can not be used
    to access ticket data in the case the agent is invalid.

    This vulnerability is also known as OSA-2020-13.

CVE-2020-11022

    Masato Kinugawa discovered a Potential XSS vulnerability in OTRS'
    embedded jQuery 3.2.1's htmlPrefilter and related methods.

    The fix requires patching embedded copies of fullcalendar (3.4.0),
    fullcalendar-scheduler (1.6.2) and spectrum (1.8.0).

    This vulnerability is also known as OSA-2020-14.

CVE-2020-11023

    Masato Kinugawa discovered a Potential XSS vulnerability in OTRS'
    embedded jQuery 3.2.1 copy when appending HTML containing option
    elements.

    This vulnerability is also known as OSA-2020-14.

CVE-2021-21252

    Erik Krogh Kristensen and Alvaro Muñoz from the GitHub Security Lab
    team discovered a Regular Expression Denial of Service (ReDoS)
    vulnerability in OTRS' embedded jQuery-validate 1.16.0 copy.

CVE-2021-21439

    A Denial of Service (DoS) attack can be performed when an email
    contains specially designed URL in the body.  It can lead to the
    high CPU usage and cause low quality of service, or in extreme case
    bring the system to a halt.

    This vulnerability is also known as OSA-2021-09 or ZSA-2021-03.

CVE-2021-21440

    Julian Droste and Mathias Terlinde discovered that the Generated
    Support Bundles contains private S/MIME and PGP keys when the parent
    directory is not hidden.  Furthermore, secrets and PIN for the keys
    are not masked properly.

    This vulnerability is also known as OSA-2021-10 or ZSA-2021-08.

CVE-2021-21441

    There is a Cross-Site Scripting (XSS) vulnerability in the ticket
    overview screens.  It is possible to collect various information by
    having an e-mail shown in the overview screen.  An attack can be
    performed by sending specially crafted e-mail to the system, which
    does not require any user interaction.

    This vulnerability is also known as OSA-2021-11 or ZSA-2021-06.

CVE-2021-21443

    Agents are able to list customer user emails without required
    permissions in the bulk action screen.

    This vulnerability is also known as OSA-2021-13 or ZSA-2021-09.

CVE-2021-36091

    Agents are able to list appointments in the calendars without
    required permissions.

    This vulnerability is also known as OSA-2021-14 or ZSA-2021-10.

CVE-2021-36100

    Rayhan Ahmed and Maxime Brigaudeau discovered that a specially
    crafted string in the system configuration allows execution of
    arbitrary system command.

    The fix 1/ removes configurable system commands from generic agents;
    2/ removes the ‘MIME-Viewer###…’ settings (the system command in
    SysConfig option "MIME-Viewer" is now only configurable via
    Kernel/Config.pm); 3/ removes dashboard widget support for execution
    of system commands; and 4/ deactivates support for execution of
    configurable system commands from Sendmail and PostMaster pre-filter
    configurations.

    This vulnerability is also known as OSA-2022-03 or ZSA-2022-02.

CVE-2021-41182

    Esben Sparre Andreasen discovered an XSS vulnerability in the
    `altField` option of the Datepicker widget in OTRS' embedded
    jQuery-UI 1.12.1 copy.

    This vulnerability is also known as ZSA-2022-01.

CVE-2021-41183

    Esben Sparre Andreasen discovered an XSS vulnerability in the
    `*Text` options of the Datepicker widget in OTRS' embedded jQuery-UI
    1.12.1 copy.

    This vulnerability is also known as ZSA-2022-01.

CVE-2021-41184

    Esben Sparre Andreasen discovered an XSS vulnerability in the `of`
    option of the `.position()` util in OTRS' embedded jQuery-UI 1.12.1
    copy.

    This vulnerability is also known as ZSA-2022-01.

CVE-2022-4427

    Tim Püttmanns discovered an SQL injection vulnerability in
    Kernel::System::Ticket::TicketSearch, which can be exploited using
    the web service operation "TicketSearch".

    This vulnerability is also known as ZSA-2022-07.

CVE-2023-38060

    Tim Püttmanns discovered an Improper Input Validation vulnerability
    in the ContentType parameter for attachments on TicketCreate or
    TicketUpdate operations.

For Debian 10 buster, these problems have been fixed in version
6.0.16-2+deb10u1.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/otrs2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3551-1: otrs2 security update

August 31, 2023
Multiple vulnerabilities were found in otrs2, the Open-Source Ticket Request System, which could lead to impersonation, denial of service, information disclosure, or execution of a...

Summary


Multiple vulnerabilities were found in otrs2, the Open-Source Ticket
Request System, which could lead to impersonation, denial of service,
information disclosure, or execution of arbitrary code.

CVE-2019-11358

A Prototype Pollution vulnerability was discovered in OTRS' embedded
jQuery 3.2.1 copy, which could allow sending drafted messages as
wrong agent.

This vulnerability is also known as OSA-2020-05.

CVE-2019-12248

Matthias Terlinde discovered that when an attacker sends a malicious
email to an OTRS system and a logged in agent user later quotes it,
the email could cause the browser to load external image resources.

A new configuration setting ‘Ticket::Frontend::BlockLoadingRemoteContent’
has been added as part of the fix. It controls whether external
content should be loaded, and it is disabled by default.

This vulnerability is also known as OSA-2019-08.

CVE-2019-12497

Jens Meister discovered that in the customer or external frontend,
personal information of agents, like Name and mail address in
external notes, could be disclosed.

New configuration settings ‘Ticket::Frontend::CustomerTicketZoom###DisplayNoteFrom’
has been added as part of the fix. It controls if agent information
should be displayed in external note sender field, or be substituted
with a different generic name. Another option named
‘Ticket::Frontend::CustomerTicketZoom###DefaultAgentName’ can then
be used to define the generic agent name used in the latter case.
By default, previous behavior is preserved, in which agent
information is divulged in the external note From field, for the
sake of backwards compatibility.

This vulnerability is also known as OSA-2019-09.

CVE-2019-12746

A user logged into OTRS as an agent might unknowingly disclose their
session ID by sharing the link of an embedded ticket article with
third parties. This identifier can be then potentially abused in
order to impersonate the agent user.

This vulnerability is also known as OSA-2019-10.

CVE-2019-13458

An attacker who is logged into OTRS as an agent user with
appropriate permissions can leverage OTRS tags in templates in order
to disclose hashed user passwords.

This vulnerability is also known as OSA-2019-12.

CVE-2019-16375

An attacker who is logged into OTRS as an agent or customer user
with appropriate permissions can create a carefully crafted string
containing malicious JavaScript code as an article body. This
malicious code is executed when an agent compose an answer to the
original article.

This vulnerability is also known as OSA-2019-13.

CVE-2019-18179

An attacker who is logged into OTRS as an agent is able to list
tickets assigned to other agents, which are in the queue where
attacker doesn't have permissions.

This vulnerability is also known as OSA-2019-14.

CVE-2019-18180

OTRS can be put into an endless loop by providing filenames with
overly long extensions. This applies to the PostMaster (sending in
email) and also upload (attaching files to mails, for example).

This vulnerability is also known as OSA-2019-15.

CVE-2020-1765

Sebastian Renker and Jonas Becker discovered an improper control of
parameters, which allows the spoofing of the From fields in several
screens, namely AgentTicketCompose, AgentTicketForward,
AgentTicketBounce and AgentTicketEmailOutbound.

This vulnerability is also known as OSA-2020-01.

CVE-2020-1766

Anton Astaf'ev discovered that due to improper handling of uploaded
images, it is possible — in very unlikely and rare conditions — to
force the agents browser to execute malicious JavaScript from a
special crafted SVG file rendered as inline jpg file.

This vulnerability is also known as OSA-2020-02.

CVE-2020-1767

Agent A is able to save a draft (i.e., for customer reply). Then
Agent B can open the draft, change the text completely and send it
in the name of Agent A. For the customer it will not be visible
that the message was sent by another agent.

This vulnerability is also known as OSA-2020-03.

CVE-2020-1769

Martin Møller discovered that in the login screens (in agent and
customer interface), Username and Password fields use autocomplete,
which might be considered as security issue.

A new configuration setting ‘DisableLoginAutocomplete’ has been
added as part of the fix. It controls whether to disable
autocompletion in the login forms, by setting the
autocomplete="off" attribute to the login input fields. Note that
some browsers ignore it by default (usually it can be changed in the
browser configuration).

This vulnerability is also known as OSA-2020-06.

CVE-2020-1770

Matthias Terlinde discovered that the support bundle generated files
could contain sensitive information, such as user credentials.

This vulnerability is also known as OSA-2020-07.

CVE-2020-1771

Christoph Wuetschne discovered that an attacker is able craft an
article with a link to the customer address book with malicious
content (JavaScript). When agent opens the link, JavaScript code is
executed due to the missing parameter encoding.

This vulnerability is also known as OSA-2020-08.

CVE-2020-1772

Fabian Henneke discovered that it is possible to craft Lost Password
requests with wildcards in the Token value, which allows an attacker
to retrieve valid Token(s), generated by users which already
requested new passwords.

This vulnerability is also known as OSA-2020-09.

CVE-2020-1773

Fabian Henneke discovered that an attacker with the ability to
generate session IDs or password reset tokens, either by being able
to authenticate or by exploiting CVE-2020-1772, may be able to
predict other users session IDs, password reset tokens and
automatically generated passwords.

The fix adds ‘libmath-random-secure-perl’ to otrs2's Depends:.

This vulnerability is also known as OSA-2020-10.

CVE-2020-1774

When a user downloads PGP or S/MIME keys/certificates, exported file
has same name for private and public keys. It is therefore possible
to mix them and to send private key to the third-party instead of
public key.

This vulnerability is also known as OSA-2020-11.

CVE-2020-1776

When an agent user is renamed or set to invalid the session
belonging to the user is keept active. The session can not be used
to access ticket data in the case the agent is invalid.

This vulnerability is also known as OSA-2020-13.

CVE-2020-11022

Masato Kinugawa discovered a Potential XSS vulnerability in OTRS'
embedded jQuery 3.2.1's htmlPrefilter and related methods.

The fix requires patching embedded copies of fullcalendar (3.4.0),
fullcalendar-scheduler (1.6.2) and spectrum (1.8.0).

This vulnerability is also known as OSA-2020-14.

CVE-2020-11023

Masato Kinugawa discovered a Potential XSS vulnerability in OTRS'
embedded jQuery 3.2.1 copy when appending HTML containing option
elements.

This vulnerability is also known as OSA-2020-14.

CVE-2021-21252

Erik Krogh Kristensen and Alvaro Muñoz from the GitHub Security Lab
team discovered a Regular Expression Denial of Service (ReDoS)
vulnerability in OTRS' embedded jQuery-validate 1.16.0 copy.

CVE-2021-21439

A Denial of Service (DoS) attack can be performed when an email
contains specially designed URL in the body. It can lead to the
high CPU usage and cause low quality of service, or in extreme case
bring the system to a halt.

This vulnerability is also known as OSA-2021-09 or ZSA-2021-03.

CVE-2021-21440

Julian Droste and Mathias Terlinde discovered that the Generated
Support Bundles contains private S/MIME and PGP keys when the parent
directory is not hidden. Furthermore, secrets and PIN for the keys
are not masked properly.

This vulnerability is also known as OSA-2021-10 or ZSA-2021-08.

CVE-2021-21441

There is a Cross-Site Scripting (XSS) vulnerability in the ticket
overview screens. It is possible to collect various information by
having an e-mail shown in the overview screen. An attack can be
performed by sending specially crafted e-mail to the system, which
does not require any user interaction.

This vulnerability is also known as OSA-2021-11 or ZSA-2021-06.

CVE-2021-21443

Agents are able to list customer user emails without required
permissions in the bulk action screen.

This vulnerability is also known as OSA-2021-13 or ZSA-2021-09.

CVE-2021-36091

Agents are able to list appointments in the calendars without
required permissions.

This vulnerability is also known as OSA-2021-14 or ZSA-2021-10.

CVE-2021-36100

Rayhan Ahmed and Maxime Brigaudeau discovered that a specially
crafted string in the system configuration allows execution of
arbitrary system command.

The fix 1/ removes configurable system commands from generic agents;
2/ removes the ‘MIME-Viewer###…’ settings (the system command in
SysConfig option "MIME-Viewer" is now only configurable via
Kernel/Config.pm); 3/ removes dashboard widget support for execution
of system commands; and 4/ deactivates support for execution of
configurable system commands from Sendmail and PostMaster pre-filter
configurations.

This vulnerability is also known as OSA-2022-03 or ZSA-2022-02.

CVE-2021-41182

Esben Sparre Andreasen discovered an XSS vulnerability in the
`altField` option of the Datepicker widget in OTRS' embedded
jQuery-UI 1.12.1 copy.

This vulnerability is also known as ZSA-2022-01.

CVE-2021-41183

Esben Sparre Andreasen discovered an XSS vulnerability in the
`*Text` options of the Datepicker widget in OTRS' embedded jQuery-UI
1.12.1 copy.

This vulnerability is also known as ZSA-2022-01.

CVE-2021-41184

Esben Sparre Andreasen discovered an XSS vulnerability in the `of`
option of the `.position()` util in OTRS' embedded jQuery-UI 1.12.1
copy.

This vulnerability is also known as ZSA-2022-01.

CVE-2022-4427

Tim Püttmanns discovered an SQL injection vulnerability in
Kernel::System::Ticket::TicketSearch, which can be exploited using
the web service operation "TicketSearch".

This vulnerability is also known as ZSA-2022-07.

CVE-2023-38060

Tim Püttmanns discovered an Improper Input Validation vulnerability
in the ContentType parameter for attachments on TicketCreate or
TicketUpdate operations.

For Debian 10 buster, these problems have been fixed in version
6.0.16-2+deb10u1.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/otrs2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : otrs2
Version : 6.0.16-2+deb10u1
CVE ID : CVE-2019-11358 CVE-2019-12248 CVE-2019-12497 CVE-2019-12746
Debian Bug : 945251 959448 980891 989992 991593

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo