CVE-2020-1765

Published: Jan 10, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

Affected (9)

Products: Otrs: Otrs · Debian: Debian Linux · Opensuse: Backports Sle, Leap

1 product

1 product

2 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Otrs Otrs	From 7.0.0 to 7.0.13
Otrs Otrs	From 5.0.0 to 5.0.39
Otrs Otrs	From 6.0.0 to 6.0.24

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Opensuse Backports Sle	Version 15.0
Opensuse Backports Sle	Version 15.0 sp1
Opensuse Backports Sle	Version 15.0 sp2
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Related CWEs

External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

References (12)

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html

Source: security@otrs.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html

Source: security@otrs.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html

Source: security@otrs.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html

Source: security@otrs.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Source: security@otrs.com

https://otrs.com/release-notes/otrs-security-advisory-2020-01/

Source: security@otrs.com

PatchVendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://otrs.com/release-notes/otrs-security-advisory-2020-01/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.