Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-12746

An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.

Published

2019-08-21T14:15:10.460

Last Modified

2024-11-21T04:23:29.167

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	otrs	otrs	≤ 5.0.36	Yes
Application	otrs	otrs	≤ 6.0.19	Yes
Operating System	debian	debian_linux	8.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html Broken Link ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html Broken Link ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html Broken Link ([email protected])
https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/ Patch, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html ([email protected])
https://www.otrs.com/category/release-and-security-notes-en/ Release Notes ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.otrs.com/category/release-and-security-notes-en/ Release Notes (af854a3a-2127-422b-91ae-364da2661108)