Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
Astra Linux SE 1.5
Astra Linux SE 1.6
Astra Linux SE 1.7
Astra Linux SE 1.8
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:com.altx-soft.nix:def:224150
[Rus]
Version
1
Class
patch
ALTXid
451121
Language
English
Severity
Critical
Title
DLA-3551-1 -- otrs2 security update
Description
Multiple vulnerabilities were found in otrs2, the Open-Source Ticket Request System
Family
unix
Platform
Debian 10
Product
otrs2
Reference
VENDOR: DLA-3551-1
VENDOR: DLA-3551-1
Id:
DLA-3551-1
Reference:
https://lists.debian.org/debian-lts-announce/2023/debian-lts-announce-202308/msg00040.html
CVE: CVE-2019-11358
CVE: CVE-2019-11358
Id:
CVE-2019-11358
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Comment
: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
1321 ()
References:
https://www.drupal.org/sa-core-2019-006 (MISC)
https://snyk.io/vuln/SNYK-JS-JQUERY-174006 (MISC)
https://github.com/jquery/jquery/pull/4333 (MISC)
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b (MISC)
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ (MISC)
https://backdropcms.org/security/backdrop-sa-core-2019-009 (MISC)
DSA-4434 (DEBIAN)
20190421 [SECURITY] [DSA 4434-1] drupal7 security update (BUGTRAQ)
108023 (BID)
[debian-lts-announce] 20190506 [SECURITY] [DLA 1777-1] jquery security update (MLIST)
20190509 dotCMS v5.1.1 Vulnerabilities (BUGTRAQ)
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html (MISC)
20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability (FULLDISC)
20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability (FULLDISC)
20190510 dotCMS v5.1.1 Vulnerabilities (FULLDISC)
[debian-lts-announce] 20190520 [SECURITY] [DLA 1797-1] drupal7 security update (MLIST)
[oss-security] 20190603 Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) (MLIST)
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html (MISC)
RHSA-2019:1456 (REDHAT)
DSA-4460 (DEBIAN)
20190612 [SECURITY] [DSA 4460-1] mediawiki security update (BUGTRAQ)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html (MISC)
https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ (MISC)
openSUSE-SU-2019:1839 (SUSE)
RHBA-2019:1570 (REDHAT)
openSUSE-SU-2019:1872 (SUSE)
RHSA-2019:2587 (REDHAT)
https://security.netapp.com/advisory/ntap-20190919-0001/ (CONFIRM)
RHSA-2019:3023 (REDHAT)
RHSA-2019:3024 (REDHAT)
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html (MISC)
https://www.synology.com/security/advisory/Synology_SA_19_19 (CONFIRM)
https://www.tenable.com/security/tns-2019-08 (CONFIRM)
https://www.oracle.com/security-alerts/cpujan2020.html (MISC)
[debian-lts-announce] 20200224 [SECURITY] [DLA 2118-1] otrs2 security update (MLIST)
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html (MISC)
https://www.tenable.com/security/tns-2020-02 (CONFIRM)
N/A (N/A)
https://www.oracle.com/security-alerts/cpujul2020.html (MISC)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601 (CONFIRM)
https://www.oracle.com/security-alerts/cpujan2021.html (MISC)
https://www.oracle.com/security-alerts/cpuApr2021.html (MISC)
N/A (N/A)
https://www.oracle.com/security-alerts/cpuoct2021.html (MISC)
https://www.oracle.com/security-alerts/cpujan2022.html (MISC)
https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1 (MISC)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
[airflow-commits] 20190428 [GitHub] [airflow] feng-tao commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 ()
[airflow-commits] 20190428 [GitHub] [airflow] feng-tao opened a new pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 ()
[airflow-commits] 20190428 [GitHub] [airflow] codecov-io commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 ()
[airflow-commits] 20190428 [GitHub] [airflow] XD-DENG merged pull request #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 ()
[airflow-commits] 20190428 [GitHub] [airflow] XD-DENG commented on issue #5197: [AIRFLOW-XXX] Fix CVE-2019-11358 ()
FEDORA-2019-eba8e44ee6 ()
FEDORA-2019-1a3edd7e8a ()
FEDORA-2019-7eaf0bbe7c ()
FEDORA-2019-2a0ce0c58c ()
FEDORA-2019-a06dffab1c ()
FEDORA-2019-f563e66380 ()
[roller-commits] 20190820 [jira] [Created] (ROL-2150) Fix Js security vulnerabilities detected using retire js ()
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities ()
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities ()
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities ()
[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html ()
[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html ()
[syncope-dev] 20200423 Jquery version on 2.1.x/2.0.x ()
[flink-dev] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery ()
[flink-issues] 20200513 [jira] [Created] (FLINK-17675) Resolve CVE-2019-11358 from jquery ()
[flink-issues] 20200518 [jira] [Commented] (FLINK-17675) Resolve CVE-2019-11358 from jquery ()
[flink-issues] 20200518 [jira] [Updated] (FLINK-17675) Resolve CVE-2019-11358 from jquery ()
[flink-issues] 20200518 [jira] [Assigned] (FLINK-17675) Resolve CVE-2019-11358 from jquery ()
[flink-issues] 20200520 [jira] [Closed] (FLINK-17675) Resolve CVE-2019-11358 from jquery ()
[storm-dev] 20200708 [GitHub] [storm] Crim opened a new pull request #3305: [STORM-3553] Upgrade jQuery from 1.11.1 to 3.5.1 ()
CVE: CVE-2019-12248
CVE: CVE-2019-12248
Id:
CVE-2019-12248
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12248
Comment
: An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser to load external image resources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
References:
https://lists.debian.org/debian-lts-announce/2019/06/msg00004.html (CONFIRM)
https://www.otrs.com/category/release-and-security-notes-en/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2019-12497
CVE: CVE-2019-12497
Id:
CVE-2019-12497
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12497
Comment
: An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3 Score:
5.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE:
200 (Information Exposure)
References:
https://lists.debian.org/debian-lts-announce/2019/06/msg00004.html (CONFIRM)
https://community.otrs.com/category/security-advisories-en/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2019-12746
CVE: CVE-2019-12746
Id:
CVE-2019-12746
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12746
Comment
: An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE:
200 (Information Exposure)
References:
https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/ (CONFIRM)
https://www.otrs.com/category/release-and-security-notes-en/ (MISC)
https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html (CONFIRM)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2019-13458
CVE: CVE-2019-13458
Id:
CVE-2019-13458
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13458
Comment
: An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
https://www.otrs.com/category/release-and-security-notes-en/ (MISC)
https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/ (CONFIRM)
https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html (CONFIRM)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2019-16375
CVE: CVE-2019-16375
Id:
CVE-2019-16375
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16375
Comment
: An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
CVSSv2 Score:
3.5
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
SINGLE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3 Score:
5.4
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://otrs.com/release-notes/otrs-security-advisory-2019-13/ (CONFIRM)
https://community.otrs.com/category/security-advisories-en/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2019-18179
CVE: CVE-2019-18179
Id:
CVE-2019-18179
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18179
Comment
: An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/ (MISC)
[debian-lts-announce] 20200101 [SECURITY] [DLA 2053-1] otrs2 security update (MLIST)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2019-18180
CVE: CVE-2019-18180
Id:
CVE-2019-18180
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18180
Comment
: Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
835 (Loop with Unreachable Exit Condition ('Infinite Loop'))
References:
https://community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/ (CONFIRM)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1765
CVE: CVE-2020-1765
Id:
CVE-2020-1765
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1765
Comment
: An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSSv3 Score:
5.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE:
CWE-Other ()
References:
N/A (CONFIRM)
[debian-lts-announce] 20200129 [SECURITY] [DLA 2079-1] otrs2 security update (MLIST)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1766
CVE: CVE-2020-1766
Id:
CVE-2020-1766
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1766
Comment
: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
N/A (CONFIRM)
[debian-lts-announce] 20200129 [SECURITY] [DLA 2079-1] otrs2 security update (MLIST)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1767
CVE: CVE-2020-1767
Id:
CVE-2020-1767
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1767
Comment
: Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
CVSSv2 Score:
3.5
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
SINGLE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE:
CWE-Other ()
References:
N/A (CONFIRM)
[debian-lts-announce] 20200129 [SECURITY] [DLA 2079-1] otrs2 security update (MLIST)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1769
CVE: CVE-2020-1769
Id:
CVE-2020-1769
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1769
Comment
: In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-06/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1770
CVE: CVE-2020-1770
Id:
CVE-2020-1770
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1770
Comment
: Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE:
200 (Information Exposure)
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-07/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update (MLIST)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1771
CVE: CVE-2020-1771
Id:
CVE-2020-1771
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1771
Comment
: Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVSSv2 Score:
3.5
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
SINGLE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSSv3 Score:
5.4
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-08/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1772
CVE: CVE-2020-1772
Id:
CVE-2020-1772
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1772
Comment
: It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-09/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update (MLIST)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1773
CVE: CVE-2020-1773
Id:
CVE-2020-1773
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1773
Comment
: An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.
CVSSv2 Score:
5.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSSv3 Score:
8.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE:
331 (Insufficient Entropy)
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-10/ (MISC)
openSUSE-SU-2020:0551 (SUSE)
openSUSE-SU-2020:1475 (SUSE)
openSUSE-SU-2020:1509 (SUSE)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1774
CVE: CVE-2020-1774
Id:
CVE-2020-1774
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1774
Comment
: When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.9
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
HIGH
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE:
CWE-Other ()
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-11/ (CONFIRM)
[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update (MLIST)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-1776
CVE: CVE-2020-1776
Id:
CVE-2020-1776
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1776
Comment
: When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE:
613 (Insufficient Session Expiration)
References:
https://otrs.com/release-notes/otrs-security-advisory-2020-13/ (CONFIRM)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2020-11022
CVE: CVE-2020-11022
Id:
CVE-2020-11022
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Comment
: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 (CONFIRM)
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ (MISC)
https://jquery.com/upgrade-guide/3.5/ (MISC)
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 (MISC)
https://security.netapp.com/advisory/ntap-20200511-0006/ (CONFIRM)
https://www.drupal.org/sa-core-2020-002 (CONFIRM)
DSA-4693 (DEBIAN)
https://www.oracle.com/security-alerts/cpujul2020.html (MISC)
openSUSE-SU-2020:1060 (SUSE)
GLSA-202007-03 (GENTOO)
openSUSE-SU-2020:1106 (SUSE)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
openSUSE-SU-2020:1888 (SUSE)
https://www.tenable.com/security/tns-2020-10 (CONFIRM)
https://www.tenable.com/security/tns-2020-11 (CONFIRM)
https://www.oracle.com/security-alerts/cpujan2021.html (MISC)
https://www.tenable.com/security/tns-2021-02 (CONFIRM)
[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update (MLIST)
http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html (MISC)
https://www.tenable.com/security/tns-2021-10 (CONFIRM)
https://www.oracle.com/security-alerts/cpuApr2021.html (MISC)
N/A (N/A)
https://www.oracle.com/security-alerts/cpuoct2021.html (MISC)
https://www.oracle.com/security-alerts/cpujan2022.html (MISC)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
N/A (N/A)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
FEDORA-2020-11be4b36d4 ()
FEDORA-2020-36d2db5f51 ()
[airflow-commits] 20200820 [GitHub] [airflow] breser opened a new issue #10429: jquery dependency needs to be updated to 3.5.0 or newer ()
FEDORA-2020-fbb94073a1 ()
FEDORA-2020-0b32a59b54 ()
FEDORA-2020-fe94df8c34 ()
[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
CVE: CVE-2020-11023
CVE: CVE-2020-11023
Id:
CVE-2020-11023
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Comment
: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://jquery.com/upgrade-guide/3.5/ (MISC)
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 (CONFIRM)
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released (MISC)
https://security.netapp.com/advisory/ntap-20200511-0006/ (CONFIRM)
https://www.drupal.org/sa-core-2020-002 (CONFIRM)
DSA-4693 (DEBIAN)
https://www.oracle.com/security-alerts/cpujul2020.html (MISC)
openSUSE-SU-2020:1060 (SUSE)
GLSA-202007-03 (GENTOO)
openSUSE-SU-2020:1106 (SUSE)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
openSUSE-SU-2020:1888 (SUSE)
https://www.oracle.com/security-alerts/cpujan2021.html (MISC)
https://www.tenable.com/security/tns-2021-02 (CONFIRM)
[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update (MLIST)
http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html (MISC)
https://www.tenable.com/security/tns-2021-10 (CONFIRM)
https://www.oracle.com/security-alerts/cpuApr2021.html (MISC)
N/A (N/A)
https://www.oracle.com/security-alerts/cpuoct2021.html (MISC)
https://www.oracle.com/security-alerts/cpujan2022.html (MISC)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
N/A (N/A)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
FEDORA-2020-36d2db5f51 ()
[hive-issues] 20200813 [jira] [Assigned] (HIVE-24039) update jquery version to mitigate CVE-2020-11023 ()
[hive-dev] 20200813 [jira] [Created] (HIVE-24039) update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200813 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-gitbox] 20200813 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200902 [jira] [Work started] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200902 [jira] [Commented] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200902 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200902 [jira] [Comment Edited] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200904 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023 ()
[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023 ()
[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023 ()
[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023 ()
FEDORA-2020-fbb94073a1 ()
FEDORA-2020-0b32a59b54 ()
[hive-issues] 20200915 [jira] [Resolved] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-commits] 20200915 [hive] branch master updated: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023 (#1403) ()
[hive-issues] 20200915 [jira] [Work logged] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
[hive-gitbox] 20200915 [GitHub] [hive] kgyrtkirk merged pull request #1403: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023 ()
[hive-issues] 20200915 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023 ()
FEDORA-2020-fe94df8c34 ()
[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html ()
[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[felix-dev] 20201208 [jira] [Created] (FELIX-6366) 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 ()
[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 ()
[felix-dev] 20201208 [GitHub] [felix-dev] cziegeler merged pull request #64: FELIX-6366 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 ()
[felix-dev] 20201208 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #64: FELIX-6366 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 ()
[felix-dev] 20201208 [jira] [Commented] (FELIX-6366) 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 ()
[felix-dev] 20201208 [jira] [Assigned] (FELIX-6366) 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 ()
[felix-commits] 20201208 [felix-dev] branch master updated: FELIX-6366 1.0.3 < jQuery <3.4.0 is vulnerable to CVE-2020-11023 (#64) ()
[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 < jQuery <3.5.0 is vulnerable to CVE-2020-11023 ()
[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler ()
CVE: CVE-2021-21252
CVE: CVE-2021-21252
Id:
CVE-2021-21252
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21252
Comment
: The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
400 (Uncontrolled Resource Consumption ('Resource Exhaustion'))
References:
https://github.com/jquery-validation/jquery-validation/commit/5d8f29eef363d043a8fec4eb86d42cadb5fa5f7d (MISC)
https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm (CONFIRM)
https://www.npmjs.com/package/jquery-validation (MISC)
https://github.com/jquery-validation/jquery-validation/pull/2371 (MISC)
https://security.netapp.com/advisory/ntap-20210219-0005/ (CONFIRM)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-21439
CVE: CVE-2021-21439
Id:
CVE-2021-21439
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21439
Comment
: DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
755 (Improper Handling of Exceptional Conditions)
References:
https://otrs.com/release-notes/otrs-security-advisory-2021-09/ (MISC)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-21440
CVE: CVE-2021-21440
Id:
CVE-2021-21440
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21440
Comment
: Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
https://otrs.com/release-notes/otrs-security-advisory-2021-10/ (CONFIRM)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-21441
CVE: CVE-2021-21441
Id:
CVE-2021-21441
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21441
Comment
: There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://otrs.com/release-notes/otrs-security-advisory-2021-11/ (MISC)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-21443
CVE: CVE-2021-21443
Id:
CVE-2021-21443
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21443
Comment
: Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
https://otrs.com/release-notes/otrs-security-advisory-2021-13/ (CONFIRM)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-36091
CVE: CVE-2021-36091
Id:
CVE-2021-36091
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36091
Comment
: Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
CVSSv2 Score:
4
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSSv3 Score:
4.3
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
LOW
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE:
863 (Incorrect Authorization)
References:
https://otrs.com/release-notes/otrs-security-advisory-2021-14/ (CONFIRM)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-36100
CVE: CVE-2021-36100
Id:
CVE-2021-36100
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36100
Comment
: Specially crafted string in OTRS system configuration can allow the execution of any system command.
CVSSv2 Score:
9
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
SINGLE
Confidentiality impact:
COMPLETE
Integrity impact:
COMPLETE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE:
78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
References:
https://otrs.com/release-notes/otrs-security-advisory-2022-03/ (CONFIRM)
[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update (MLIST)
CVE: CVE-2021-41182
CVE: CVE-2021-41182
Id:
CVE-2021-41182
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182
Comment
: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc (CONFIRM)
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 (MISC)
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ (MISC)
https://security.netapp.com/advisory/ntap-20211118-0004/ (CONFIRM)
https://www.drupal.org/sa-contrib-2022-004 (MISC)
https://www.drupal.org/sa-core-2022-002 (CONFIRM)
[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update (MLIST)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
https://www.tenable.com/security/tns-2022-09 (CONFIRM)
N/A (N/A)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2021-41183
CVE: CVE-2021-41183
Id:
CVE-2021-41183
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183
Comment
: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://bugs.jqueryui.com/ticket/15284 (MISC)
https://github.com/jquery/jquery-ui/pull/1953 (MISC)
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4 (CONFIRM)
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ (MISC)
https://security.netapp.com/advisory/ntap-20211118-0004/ (CONFIRM)
https://www.drupal.org/sa-contrib-2022-004 (MISC)
https://www.drupal.org/sa-core-2022-001 (CONFIRM)
https://www.drupal.org/sa-core-2022-002 (CONFIRM)
[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update (MLIST)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
https://www.tenable.com/security/tns-2022-09 (CONFIRM)
N/A (N/A)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2021-41184
CVE: CVE-2021-41184
Id:
CVE-2021-41184
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184
Comment
: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
6.1
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
CHANGED
Confidentiality impact:
LOW
Integrity impact:
LOW
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE:
79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
References:
https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 (MISC)
https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 (CONFIRM)
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ (MISC)
https://security.netapp.com/advisory/ntap-20211118-0004/ (CONFIRM)
https://www.drupal.org/sa-core-2022-001 (CONFIRM)
https://www.oracle.com/security-alerts/cpuapr2022.html (MISC)
https://www.tenable.com/security/tns-2022-09 (CONFIRM)
N/A (N/A)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ (MISC)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2022-4427
CVE: CVE-2022-4427
Id:
CVE-2022-4427
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4427
Comment
: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
References:
https://otrs.com/release-notes/otrs-security-advisory-2022-15/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
CVE: CVE-2023-38060
CVE: CVE-2023-38060
Id:
CVE-2023-38060
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38060
Comment
: Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
LOW
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE:
74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
References:
https://otrs.com/release-notes/otrs-security-advisory-2023-04/ (MISC)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (MISC)
Content available only for registered users!
ovaldb@altx-soft.com