Описание
Security update for otrs
This update for otrs to version 4.0.32 fixes the following issues:
These security issues were fixed:
- CVE-2018-16586: An attacker could have sent a malicious email to an OTRS system. If a logged in user opens it, the email could have caused the browser to load external image or CSS resources (bsc#1109822).
- CVE-2018-16587: An attacker could have sent a malicious email to an OTRS system. If a user with admin permissions opens it, it caused deletions of arbitrary files that the OTRS web server user has write access to (bsc#1109823).
- CVE-2018-14593: An attacker who is logged into OTRS as an agent may have escalated their privileges by accessing a specially crafted URL (bsc#1103800).
These non-security issues were fixed:
- fixed permissions file @OTRS_ROOT@/var/tmp -> @OTRS_ROOT@/var/tmp/
- ACL for Action AgentTicketBulk were inconsistent.
Список пакетов
SUSE Package Hub for SUSE Linux Enterprise 15
Ссылки
- E-Mail link for openSUSE-SU-2018:3005-1
- SUSE Security Ratings
Описание
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is logged into OTRS as an agent may escalate their privileges by accessing a specially crafted URL.
Затронутые продукты
Ссылки
- CVE-2018-14593
- SUSE Bug 1103800
Описание
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources.
Затронутые продукты
Ссылки
- CVE-2018-16586
- SUSE Bug 1109822
Описание
In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.
Затронутые продукты
Ссылки
- CVE-2018-16587
- SUSE Bug 1109823