| Name | CVE-2018-14593 |
| Description | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is logged into OTRS as an agent may escalate their privileges by accessing a specially crafted URL. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1473-1, DSA-4317-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
| stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | fixed |
| buster/non-free | 6.0.16-2 | fixed |
| buster/non-free (security) | 6.0.16-2+deb10u1 | fixed |
| bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| otrs2 | source | wheezy | (unfixed) | end-of-life | | |
| otrs2 | source | jessie | 3.3.18-1+deb8u5 | | DLA-1473-1 | |
| otrs2 | source | stretch | 5.0.16-1+deb9u6 | | DSA-4317-1 | |
| otrs2 | source | (unstable) | 6.0.10-1 | | | |
Notes
https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/
OTRS-6: https://github.com/OTRS/otrs/commit/57cda14db8fdbcbfb8cabb32d85fbc89fde48c62
OTRS-5: https://github.com/OTRS/otrs/commit/7b6802723e1f5d1764b617e9fcf0a8dd21e96216
OTRS-4: https://github.com/OTRS/otrs/commit/78331ea187181d6130189d4563a50b4c30256320