Open Ticket Request System (OTRS) 5.0.0 Remote Code Execution Vulnerability

Summary

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.

Credit:

The information has been provided by Markus Koschany
The original article can be found at: https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/


Details

Otrs is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Vulnerable Systems:

  • Otrs 5.0.0
  • Otrs 5.0.1
  • Otrs 5.0.2
  • Otrs 5.0.3
  • Otrs 5.0.4
  • Otrs 5.0.5
  • Otrs 5.0.6
  • Otrs 5.0.7
  • Otrs 5.0.8
  • Otrs 5.0.9
  • Otrs 5.0.10
  • Otrs 5.0.11
  • Otrs 5.0.12
  • Otrs 5.0.13
  • Otrs 5.0.14
  • Otrs 5.0.15
  • Otrs 5.0.16
  • Otrs 5.0.17
  • Otrs 5.0.18
  • Otrs 0.19
  • Otrs 5.0.20
  • Otrs 5.0.21
  • Otrs 5.0.22
  • Otrs 5.0.23
  • Otrs 5.0.24
  • Otrs 5.0.25
  • Otrs 5.0.26
  • Otrs 5.0.27
  • Otrs 5.0.28
  • Otrs 5.0.29
  • Otrs 5.0.30
  • Otrs 5.0.31
  • Otrs 5.0.32
  • Otrs 5.0.33
  • Otrs 5.0.34
  • Otrs 6.0.0

CVE Information:
CVE-2018-9892

Disclosure Timeline:
Publish Date:05/21/2019

Categories: News