CVE Vulnerability

CVE-2019-9892

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html Mailing List Third Party Advisory
https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/ Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html Broken Link
Configurations

Configuration 1

cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*
cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*
cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Information

Published : 2019-05-22 12:29

Updated : 2023-01-20 04:12

NVD link : CVE-2019-9892

Mitre link : CVE-2019-9892

Products Affected
No products.
CWE
CWE-91