File _patchinfo of Package patchinfo
<patchinfo incident="8833"> <issue tracker="bnc" id="1103800">VUL-1: CVE-2018-14593: otrs: An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is loggedinto OTRS as an agent may escalate their privileges by access</issue> <issue tracker="bnc" id="1109822">VUL-1: CVE-2018-16586: otrs: Loading External Image or CSS Resources (OSA-2018-05)</issue> <issue tracker="bnc" id="1109823">VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)</issue> <issue tracker="cve" id="2018-16586"/> <issue tracker="cve" id="2018-14593"/> <issue tracker="cve" id="2018-16587"/> <category>security</category> <rating>moderate</rating> <packager>AndreasStieger</packager> <description>This update for otrs to version 4.0.32 fixes the following issues: These security issues were fixed: - CVE-2018-16586: An attacker could have sent a malicious email to an OTRS system. If a logged in user opens it, the email could have caused the browser to load external image or CSS resources (bsc#1109822). - CVE-2018-16587: An attacker could have sent a malicious email to an OTRS system. If a user with admin permissions opens it, it caused deletions of arbitrary files that the OTRS web server user has write access to (bsc#1109823). - CVE-2018-14593: An attacker who is logged into OTRS as an agent may have escalated their privileges by accessing a specially crafted URL (bsc#1103800). These non-security issues were fixed: - fixed permissions file @OTRS_ROOT@/var/tmp -> @OTRS_ROOT@/var/tmp/ - ACL for Action AgentTicketBulk were inconsistent. </description> <summary>Security update for otrs</summary> </patchinfo>
