You decide the level of support required to ensure your OTRS runs smoothly.

1 SLW: Central European Time (CET) - excluding holidays
2 Take advantage of our Security Advisories for OTRS.

The Experts

We provide the best service to you by supporting you on-site. Excellent people with excellent knowledge make sure that you will succeed.

Your Offer

We offer a large amount of standard workshops, just find out what you need.

Get your offer »

Evaluation Workshop

The evaluation process is the first step in implementing an OTRS solution. Full confidence in both the software and service provider is critical when deciding to invest in any solution. The objective of the evaluation is to provide you with insight into the software's range of functions and capabilities to understand how it may be used to meet your business requirements.

Conceptual Design Workshop

During the conceptual design, organizations work collaboratively with one of our consultants to design the exact specifications for their OTRS implementation. The consultant offers best practice recommendations when designing model structures, processes and workflows and develops all technical specifications for the production environment.

Installation & Configuration Workshop

Benefit from our expertise for successful deployment of mission-critical service solutions. Our consultants will help you to configure OTRS, integrating various IT infrastructure elements and thereby eliminating the need to administer redundant data in various systems.

Review Workshop

As your business evolves, our consultants will assist at re-evaluating and assessing your requirements to uncover unrealized potential within your OTRS solution. If further customization or specialization is required, you have our on-going support and dedication to ensure your organization remains highly adaptable and always competitive.

Troubleshooting/Performance Workshop

Sometimes you run into trouble/performance problems. Then quick and effective help is needed. Our OTRS Consultants will help you to solve any of your problems.

You provide the best service to your customer, while we’re designing and developing the best extensions for you. With 14 years experience in Helpdesk and Customer Service we will show you things you never dreamed of.

Get your offer »

Feature Extensions/Add-Ons

Get access to our extensions as a foundation for your business needs.

Customization

Work with the OTRS development team to build highly customized and innovative service solutions on OTRS. OTRS developed solutions provide the flexibility and performance businesses require to meet their customer demands.

Your Offer

Just submit your needs and receive your personal offer!

Get your offer »

OTRS Admin Training

We will coach you through setup, backup and restore as well as the configuration of OTRS. The training course is directed at administrators in charge of system configuration, management of users and authorizations and customization according to corporate design.

You will gain in-depth insight into the system's functional mechanisms and, for training purposes, will complete the entire setup and configuration cycle. The main focus will be the SysConfig file and the central configuration file Kernel/Config.pm in order to customize the system conveniently according to your and/or your customers requirements.

Practical elements, e.g. the exemplary integration with email and directory services will be part of the training course as well as learning how to handle ticket ACLs (Access Control Lists) and the modelling of workflows by means of the system.

Duration: 3 days

OTRS Master Training

You operate OTRS already and you got some experience? OTRS can do more than what you see on the normal admin interface!

This course is aimed at OTRS administrators who are safe in their daily work with OTRS, but try to understand the system even further. Learn about hidden features and capabilities of OTRS.

Drive into the world of ACLs, SysConfig and reporting. Learn about tips and tricks for connecting external systems and external authentication.

Duration: 3 days

OTRS Key User Training

The training is aimed at efficient service and support staff, who are getting familiar with OTRS and functions in their daily work.

Duration: 1 day

OTRS Developer Training

Already using OTRS, but you are missing a feature? This course will give you more than just a glimpse into the source code and the philosophy of OTRS.

We will show by examples which architecture is behind it and how to effectively develop extensions for it. In exercises, e. g. Postmaster filter and front-end modules, but also develop individual interfaces to external systems, such as a CTI connector.

Duration: 3 days

Features

  • Easy installation and upgrade via the package manager of OTRS
  • Enables package verification for Znuny packages as well

Installation

Download and save the package.

Open Package-Management via Admin->Package-Management, select the download Znuny4OTRS-Repo package (OTRS 4/OTRS 5/OTRS 6) via "Select File" and click on "Install Package".

After the installation you will find a new repository [-Addons-] Znuny4OTRS - Public in the DropDown, click on "Update repository information" to get access to the newest Znuny packages

Prerequisites

Internetconnection, OTRS 4, OTRS 5 or OTRS 6

Download

|OPM Znuny-Repo for OTRS 4|OPM Znuny-Repo for OTRS 5|OPM Znuny-Repo for OTRS 6|

Feature Add-Ons

With our support contracts you will be given access and support to our feature add-ons, which will increase the performance of your OTRS installation.

After a certain time period, we will be providing everyone with access to the add-ons by making them public. Ask us for more details!

#1 Znuny - Customer Map

Would you like an overview of your open tickets on a map?

This Google Maps extension provides you with the information you need in a dashboard widget.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | Github

#2 Znuny - Password Policy

The "Password Policy" enables you to define strict password policies. You can individually configure your "Password Policy" via a SysConfig setting (see more in Configuration Options).

Feature list:

  • Enforce a password renewal after X (configurable) days.
  • Password history to prevent reusage of a password for X (configurable) changes.
  • Disable account after X (configurable) invalid login attempts.
  • Minimum length of the password.
  • Need at least 2 small and 2 big letters in a password.
  • Need at least 2 letters in a password.
  • Need at least 1 number in a password.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | Github

#4 Znuny - Show the ticket unlock time in the ticket zoom view

After installing this package you'll find the unlock time shown in the ticket information area. There is no further configuration neede, just configure your unlock timeout as always.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | Github

#5 Znuny - CTI Integration

This package integrates your telephone system in OTRS. For incoming calls, the telephone ticket interface is displayed with the corresponding customer data (identified by caller ID). For outgoing calls, a call can be directly initiated by clicking on the customers telephone number.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6 and a VoIP client able to open URLs on incoming calls

Znuny Add-On Support | Install via Znuny-Repo | Github

#6 Znuny - Toolbar CI Search

With this addon you get direct access to the search for configuration items. Just select the configuration item class in the toolbar and enter your search term.

Define your default class on the sysconfig and a prefix and suffix for the searchterm if needed.

What are the addon's advantages?

You'll save a lot of time if you search for configuration items often. With CI Search you've easy access via the toolbar.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6 and ITSMConfigurationManagement

Znuny Add-On Support | Install via Znuny-Repo | Github

#7 Znuny - Watch List

With this package you are able to see, add and individually remove all agents watching a ticket.

Prerequisites

OTRS 4 or OTRS 5

Znuny Add-On Support | Download (via Support-Subscription)

#8 Znuny - Tag Cloud

This package enables you to "tag" a ticket. In the dashboard widget a tag cloud shows you trends or hotspots in your field of responsibility.

Prerequisites

OTRS 4 or OTRS 5

Znuny Add-On Support | Download (via Support-Subscription)

#9 Znuny - Second/Additional Ticket Create Screen

This package gives you an additional Ticket-Create-Screen (phone and e-mail) with its own config parameters so that different departments might work with their own Ticket Create Screens.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | Github

#10 Znuny - Sort by last contact

This package allows you to sort your tickets by your last contact. This feature will be available in Queue-View, Status-View und Locked-Tickets-View.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | GitHub

#11 Znuny - External URL/Link

This package enables you to include an external URL/Link in your customer - navigationbar or in your agents overview so that you might refer to internal ressources

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | Github

#12 Znuny - Quick-Close

This package gives you a Quick-Close button in your ticket overview (Queue-View, Escalation-View and Status-View).

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | GitHub

#13 Znuny - Extended proxy assistance

In case you configured a http/ftp proxy in OTRS to access external ressources but you need a list of exceptions to access local http/ftp ressources, this will be your package.

Configuration via Admin-Interface (SysConfig) Proxy-Exceptions.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | Github

#14 Znuny - AD Password Change

Your Agents authenticate themselves over an Active Directory? With this package they are able to change their AD password over OTRS preferences.

Prerequisites

OTRS 4 or OTRS 5 and LDAPS

Znuny Add-On Support | Download (via Support-Subscription)

#15 Znuny - AttachmentMultiUpload

You need to attach multiple files to a ticket? With this package you are able to attach all of them with one upload.

Prerequisites

OTRS 4 or OTRS 5 and a HTML5 compatible browser - Firefox 26+, Chrome 31+, Safari 7+, IE 10+.

Znuny Add-On Support | Install via Znuny-Repo | Github

#17 Znuny - MarkTicketSeenUnseen

You need to mark a ticket or article as unread to read it later or mark complete tickets as read? With this package you are able to mark a whole ticket with all articles or single articles as unread again. Additionally single or multiple tickets can be marked as seen.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | GitHub

#18 Znuny - DownloadAllAttachments

You don't want to download every single attachment of a ticket by hand? With this package you are able to download all attachments of an article or the whole ticket as a zip file at once.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny-Repo | GitHub

#19 Znuny - Services/Company (CustomerID) relations

In OTRS standard you can "only" manage a service / customer user relation (CustomerUserID). With this addon now you can also manage the services / company (CustomerID) relation.

Prerequisites

OTRS 4 or OTRS 5

Znuny Add-On Support | Download (via Support-Subscription)

#20 Znuny - Excel stats

In OTRS standard you can "only" generate statistics in the CSV and PDF format. Therefore it's not possible to preformat the statistics before importing them into Excel or OpenOffice. With this addon you can preformat existing or new statistics and generate them in the Excel format.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Download (contact sales)

#22 Znuny - ServiceCatalog

Ticket classification and dispatching is not fast enough? The addon „ServiceCatalg“ will support you. You are able dispatch tickets faster by a service based queue routing and your agents can easier classify tickets.

What are the addon's advantages?

By default you can't configure initial values for fields based on a service. This behaviour doesn't support goal oriented workflows. By installing the „ServiceCatalog“ your agents are able to focus on the services and create tickets faster than before

What are the features?

This addon provide the ability to classify tickets as easy as possible and to define presettings for ticket attributes. All these settings depend on the choosen service. These attribute can be predefined:

  1. Queue (enables service based queue routing)
  2. Subject and body
  3. Ticket type
  4. SLA
  5. Priority
  6. Dynamic fields (optional and mandatory)

The addon „ServiceCatalog“ does not only work in the agent interface. It is available in the customer interface during ticket creation. Only service, dynamic fields, subject and body are show by default. Ticket type, queue and priority are set based on the choosen service and neither visible nor editable by the customer. This can be configured if needed to enable these attributes in the customer interface too.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Download (via Support-Subscription)

#24 Znuny - Out of Office Integration / Microsoft Exchange

Does all your agents have to configure there out of office state in each application? With this addon they will save time. The advanced out of office feature will support you. After the installation a web service is available to synchronize the out of office settings from other systems like Microsoft Exchange.

What are the addon's advantages?

Each agent or the OTRS administrator have to configure the out of office setttings. In a default OTRS setup the out of office setting are configured via the personal preferences of each agent. With this information all other users know about an agents presence or absence. This addon will do this for all your agents. The presence state can be maintained in the application of your choice like Microsoft Outlook and easily imported into OTRS.

What are the features?

A preconfigured web service implements an interface between 3rd party software like Microsoft Exchange and OTRS. With this web service you're able to set your agent's out of office configuration. In addition to this you have the option to configure the shown text and it is possible to add the information about an agent's login state. Now everybody knows who is logged in.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Download (via Support-Subscription)

#25 Znuny - ShowPendingTimeIfNeeded

The date and time input fields are only shown if the selected state needs it.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny Repository | GitHub

#26 Znuny - AutoSelect

Preselect values for input field where only one option is available. Optional it is possible to hide all the input fields where only one option is available.

Prerequisites

OTRS 4, OTRS 5 or OTRS 6

Znuny Add-On Support | Install via Znuny Repository | GitHub

2001 - Martin Edenhofer started the OTRS.org Projekt, with the simple idea to make things easier for communication between customers and organizations.

2002 - Martin did the first OTRS Consulting job (replaced ARS with OTRS).

2003 - Because of many requests, Martin and three colleagues started the commercial part of OTRS.org, the OTRS GmbH.

2004 - The 1st place in "Open Source Best Practice Award" of the Fraunhofer Institut in the category "public range" went to the city “Muelheim an der Ruhr” for the HelpDesk solution with OTRS.

2005 - NASA was using OTRS.

2007 - OTRS GmbH became OTRS AG.

2011 - Martin moved out from OTRS AG.

2012 - Znuny GmbH was founded by Martin with the vision to give best independent OTRS service to the market.

2013 - A small collection of our new and happy/satisfied customers: Commerzbank AG, DZ BANK AG and Deutsche WertpapierService Bank AG.

2014 - Establishment of Znuny Swiss GmbH as independent OTRS service provider dedicated for Switzerland.

2016 - Establishment of Znuny Inc. as independent OTRS service provider dedicated for NAFTA.

Management

Martin Edenhofer

CEO/Managing Director

Martin Edenhofer (38) is one of the Linux pioneers and inventors of open-source software in Germany. Edenhofer is the founder of the OTRS.org project and made a significant contribution to the development of the OTRS trouble ticket system. After several years working as a developer at SuSE Linux AG working on STTS (SuSE’s own trouble ticket system), Edenhofer moved from Nuremberg to Frankfurt am Main in 2001 to take on the role of a Project Manager for Lufthansa Systems. In 2003 he founded OTRS GmbH (later known as OTRS AG), where he worked as Chief Technical Officer till 2011. In 2012, Martin founded Znuny GmbH to as independent OTRS service provider to provide best quality of OTRS services.

XING | LinkedIn | Blog | Twitter
Znuny Inc.
171 C Avenue, Suite C
Coronado, CA 92118
United States

P +1 949 431 2599
F +1 949 431 2477
E info@znuny.com
W http://znuny.com
Managing Director: Roy Kaldung
A California Company registered at the Secretary of State of California.
File no. C3849651

Znuny Swiss GmbH
Martinsbruggstrasse 35
9016 St. Gallen
Switzerland

P +41 (0) 71 588 03 39
F +41 (0) 71 588 01 86
E info@znuny.ch
W http://znuny.ch
Managing Director: Martin Edenhofer
Business location: St. Gallen
Commercial register/Handelsregisteramt: Kanton St. Gallen, Nr. CHE-134.912.543

Znuny GmbH
Marienstrasse 11
10117 Berlin
Germany

P +49 (0) 30 60 98 54 18-0
F +49 (0) 30 60 98 54 18-8
E info@znuny.com
W http://znuny.com
Managing Director: Martin Edenhofer, Johannes Nickel
Commercial register/Handelsregister Charlottenburg, Nr. HRB 139852 B
Business location: Berlin (Mitte)
Tax number: 37/260/21789

Znuny Information Technology Co., Ltd.
D610 Pufa Plaza, #1759 North Zhongshan Rd.
200061 Shanghai
China

P +86 (0) 181 0179 2535
F +86 (0) 21 6139 0616
E info@znuny.cn
W http://znuny.cn

Responsible:

Responsible authority within the meaning of data protection laws, in particular the EU general data protection regulation (GDPR), ist:

Znuny GmbH
Marienstrasse 11
10117 Berlin
Germany

P +49 (0) 30 60 98 54 18-0
F +49 (0) 30 60 98 54 18-8
E info@znuny.com

Your rights as a party

You can exercise the following rights at any time using the contact details provided by our data protection officer: Information about your data stored with us and their processing, Correction of incorrect personal data, Deletion of your data stored with us, Restriction of data processing if we are not yet allowed to delete your data due to legal obligations, Objection to the processing of your data by us and Data transferability if you have consented to data processing or have concluded a contract with us. If you have given us your consent, you can revoke it at any time with effect for the future. You can contact your local supervisory authority at any time with a complaint. Your competent supervisory authority depends on the federal state in which you live, of your work or the alleged injury. A list of supervisory authorities (for the non-public area) you will find here: LINK.

Purposes of data processing by the responsible body and third parties

We process your personal data only for the purposes stated in this data protection declaration. Your personal data will not be passed on to third parties for purposes other than those mentioned. We will only pass on your personal data to third parties if: - you have given your express consent, - processing is required to process a contract with you, - the processing is necessary to fulfil a legal obligation, - processing is necessary to safeguard legitimate interests and there is no reason for acceptance, - that you have an overriding interest worthy of protection in the non-disclosure of your data.

Deletion or locking of data

We adhere to the principles of data avoidance and data economy. We therefore only store your personal data for as long as this is necessary to achieve the goals set out here. or as provided for in the various storage periods provided for by law. After the respective purpose or expiry of these deadlines has ceased to apply, the corresponding data is routinely and are blocked or deleted in accordance with legal regulations.

Collection of general information when you visit our website

When you access our website, information of a general nature is automatically collected by means of a cookie. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your Internet service provider and the like. This is exclusively information which does not allow any conclusions to be drawn. on your person. This information is technically necessary in order to correctly deliver the content you have requested from websites and is included in use of the Internet is mandatory. They are processed in particular for the following purposes: Ensuring a trouble-free connection of the website, Ensuring a smooth use of our website, evaluation of system security and stability as well as for other administrative purposes. The processing of your personal data is based on our legitimate interest from the aforementioned purposes for data collection. We do not use your data to draw conclusions about you personally. The recipients of the data are only the responsible body and, if necessary Contractor. Anonymous information of this kind may be statistically evaluated by us in order to improve our website and the content of this website. to optimize technology.

Cookies

Like many other websites, we also use so-called "cookies". Cookies are small text files that are transferred from a website server to your computer. hard disk. This automatically provides us with certain data such as IP address, browser used and operating system. and your connection to the Internet. Cookies cannot be used to start programs or to transmit viruses to a computer. Using the information contained in cookies information we can make navigation easier for you and enable the correct display of our web pages. Under no circumstances will the data collected by us be passed on to third parties or linked to personal data without your consent. produced. Of course, you can also view our website without cookies. Internet browsers are regularly set to accept cookies. accept. In general, you can deactivate the use of cookies at any time via the settings of your browser. Please use Use the help functions of your Internet browser to find out how you can change these settings. Please note that individual Functions of our website may not work if you have disabled the use of cookies.

SSL encryption

To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g. SSL) via HTTPS.

Contact form and chat

If you have any questions by e-mail, chat or contact form, please contact us for the purpose of contacting us. Your voluntary consent. A valid e-mail address is required for this purpose. This is used to assign the request and the followed by an answer. The specification of further data is optional. The information provided by you will be used for the purpose of processing your order. and for possible follow-up questions. After your request has been processed, your personal data will be automatically deleted.

Use of Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc. (following: Google). Google Analytics uses so-called "cookies", i.e. text files, which are stored on your computer and which enable an analysis of your use of the website. The information generated by the cookie about your use of this website are usually transferred to a Google server in the USA and stored there. Due to the activation of the IP anonymisation on these websites, however, your IP address is used by Google within Member States of the European Union or in other countries. signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server. in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website and internet usage to the website operators. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. The purposes of data processing are to evaluate the use of the website and to compile reports on activities on the website. Other related services will then be provided based on the use of the website and the Internet. The processing is based on the authorized Interest of the website operator. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you will may not be able to use all functions of this website in full. In addition, you can record the data generated and stored by the cookie. (including your IP address) to Google as well as to prevent the processing of these data by Google by using the information provided under the download and install the following browser plugin: Browser Add On to disable Google Analytics. In addition or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our pages by clicking on this link. An opt-out cookie is installed on your device. This will prevent Google Analytics from collecting data for this website and for this browser in the future, as long as the cookie remains installed in your browser.

Use of Matomo

This website uses Matomo (formerly Piwik), an open source software for statistical analysis of visitor access. Matomo uses so-called cookies, i.e. text files, which are stored on your computer and which enable an analysis of your use of the website. The information generated by the cookie about your use of the website is stored on a server in Germany. The IP address is made anonymous immediately after processing and before it is stored. You have the possibility to change the installation of cookies by changing the setting your browser software. We would like to point out that with the appropriate settings not all functions of this website may be available anymore. You can decide whether a unique web analysis cookie may be stored in your browser in order to enable the operator of the website to record and analyse the data. of various statistical data.

Use of script libraries (Google Web Fonts)

In order to present our contents correctly and graphically appealing across all browsers, we use script libraries and font libraries on this website. such as Google Web Fonts (https://www.google.com/webfonts/). Google Web Fonts are transferred to your browser's cache to avoid multiple loading. If your browser does not support Google Web Fonts or the prevents access, content is displayed in a standard font. Calling script libraries or font libraries automatically triggers a connection to the library operator. It is theoretically possible - currently also unclear whether and, if so, for what purposes - that operators of corresponding libraries collect data. The privacy policy of the library operator Google can be found here: https://www.google.com/policies/privacy/ https://www.google.com/policies/privacy/

Use of Google Maps

This website uses Google Maps API to display geographical information visually. When using Google Maps, Google also uses Data on the use of map functions by visitors collected, processed and used. More information about Google's data processing can be found at Please refer to the Google Privacy Notices. There you can also change your personal data protection settings in the Data Protection Center. Detailed instructions for managing your own data in connection with Google products can be found here: https://www.google.com/policies/privacy/

Changes to our data protection regulations

We reserve the right to adapt this data protection declaration so that it always complies with the current legal requirements or in order to comply with all applicable laws. to implement changes to our services in the data protection declaration, e.g. with the introduction of new services. For your next visit the new data protection declaration will then apply.

Questions to the data protection officer

If you have any questions about data protection, please send us an e-mail or contact the person responsible for data protection directly. person in our organization:
Znuny GmbH
Marienstrasse 11
10117 Berlin
Germany

P +49 (0) 30 60 98 54 18-0
F +49 (0) 30 60 98 54 18-8
E info@znuny.com

Get informed!

Do you want to get informed about security issues in OTRS? Subscribe here.

List of Advisories

#TitleCVESeverityDate
ZSA-2018-03Privilege escalation by HTML form parameterCVE-2018-14593High2018-07-31
ZSA-2018-02Code injection in the customer user ticket view./td>CVE-2018-11563Medium2018-06-12
ZSA-2018-01Information Exposure of article details in the customer ticket overview-Medium2018-05-04
ZSA-2017-06Privilege escalation by session hijacking-High2017-12-19
ZSA-2017-05Remote Code Execution for agents when PGP is used2017-16921High2017-12-05
ZSA-2017-04Information Disclosure in the customer interface when using the ticket search2017-16854Medium2017-12-05
ZSA-2017-03Remote Code Execution with webserver permissions2017-16664High2017-11-21
ZSA-2017-02Administrative privileges for agents by uploading statistics-High2017-09-09
ZSA-2017-01Administrative privileges for agents by accessing the installer2017-9324High2017-05-30
ZSA-2015-02Affection of Proc::Daemon CVE-2013-71352015-6842Low2015-09-29
ZSA-2015-01Privilege Escalation vulnerability in Package iPhoneHandle2015-6579Critical2015-09-29
ZSA-2014-06Incomplete Access Control2014-9324Low2014-12-16
ZSA-2014-05Clickjacking issue2014-2554Low2014-04-02
ZSA-2014-04XSS issue2014-2553Low2014-04-02
ZSA-2014-03XSS attack via HTML-Email2014-1695Low2014-03-03
ZSA-2014-02SQL injection with valid login2014-1471Medium2014-01-28
ZSA-2014-01XSS Issue in Customer-Interface2014-1694Low2014-01-28
ZSA-2013-05SQL injection / XSS Issue2013-4717/4718Medium2013-07-09
ZSA-2013-04Information disclosure and Data manipulation2013-4088Medium2013-06-18
ZSA-2013-03Information disclosure and Data manipulation2013-3551Medium2013-06-03
ZSA-2013-02XSS attack2013-2637Low2013-04-03
ZSA-2013-01Information disclosure and Data manipulation2013-2625Medium2013-04-03
ZSA-2012-03XSS attack in Firefox and Opera2012-4751Critical2012-10-16
ZSA-2012-02XSS attack in Firefox and Opera2012-4600Critical2012-08-30
ZSA-2012-01XSS attack in Internet Explorer2012-2582Critical2012-08-17

Details

IDZSA-2018-03
Date2018-07-31
TitlePrivilege escalation by HTML form parameter
SeverityHigh
ProductOTRS Help Desk 4.0.x up to including 6.0.9
Fixed inOTRS Help Desk 4.0.31, 5.0.29, 6.0.10
URLhttps://znuny.com/de/#!/advisory/ZSA-2018-03
CVECVE-2018-14593

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker is able to change unprotected agent and customer user attributes by using modified request.

The following versions are affected by the described vulnerability:

  • OTRS 4.0.1 up to including 4.0.30
  • OTRS 5.0.1 up to including 5.0.28
  • OTRS 6.0.1 up to including 6.0.9

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2018-02
Date2018-06-12
TitleCode injection in the customer user ticket view.
Severitymittel
ProductOTRS Help Desk 6.0.x bis und einschliesslich 6.0.7
Fixed inOTRS Help Desk 6.0.7
URLhttps://znuny.com/de/#!/advisory/ZSA-2018-02
CVECVE-2018-11563

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacket is able to execute malicous code if a customer user changes the window size. The code is injected by special article content.

The following versions are affected by the described vulnerability:

  • OTRS 6.0.1 up to including 6.0.7

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

Solution

Upgrade to the latest available OTRS path level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2018-01
Date2018-05-04
TitleInformation Exposure of article details in the customer ticket overview
Severitymedium
ProductOTRS Help Desk 6.0.x up to including 6.0.6
Fixed inOTRS Help Desk 6.0.7
URLhttps://znuny.com/en/#!/advisory/ZSA-2018-01
CVE-

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker who is logged in as a customer in OTRS can use the ticket overview to view internal article information of his customer tickets.

The following versions are affected by the described vulnerability:

  • OTRS 6.0.1 up to including 6.0.6

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-06
Date2017-12-19
TitlePrivilege escalation by session hijacking
Severityhigh
ProductOTRS Help Desk 4.0.x up to including 6.0.2
Fixed inOTRS Help Desk 4.0.28, 5.0.26, 6.0.3
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-06
CVE-

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could, through a vulnerability in the processing of emails, take over the session from agents who click on a special link from an incoming email.

The following versions are affected by the described vulnerability:

  • OTRS 4.0.1 up to including 4.0.27
  • OTRS 5.0.1 up to including 5.0.25
  • OTRS 6.0.1 up to including 6.0.2

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-05
Date2017-12-05
TitleRemote Code Execution for agents when PGP is used
Severityhigh
ProductOTRS Help Desk 3.3.x up to including 6.0.1
Fixed inOTRS Help Desk 4.0.27, 5.0.25, 6.0.2
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-05
CVE2017-16921

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent permission can use modified form parameters to execute arbitrary code in the operating system with web server permissions.

The following versions are affected by the described vulnerability:

  • OTRS 3.3.1 up to including 3.3.20
  • OTRS 4.0.1 up to including 4.0.26
  • OTRS 5.0.1 up to including 5.0.24
  • OTRS 6.0.1

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-04
Date2017-12-05
TitleInformation Disclosure in the customer interface when using the ticket search
Severitymedium
ProductOTRS Help Desk 3.3.x up to including 6.0.1
Fixed inOTRS Help Desk 4.0.27, 5.0.25, 6.0.2
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-04
CVE2017-16854

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with customer permission can use the ticket search in the customer interface to access information from internal articles.

The following versions are affected by the described vulnerability:

  • OTRS 3.3.1 up to including 3.3.20
  • OTRS 4.0.1 up to including 4.0.26
  • OTRS 5.0.1 up to including 5.0.24
  • OTRS 6.0.1

Workaround

As a workaround the affected file can be replaced:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-03
Date2017-11-21
TitleRemote Code Execution with webserver permissions
Severityhigh
ProductOTRS Help Desk 3.3.x up to including 5.0.23
Fixed inOTRS Help Desk 3.3.20, 4.0.26, 5.0.24
URLhttp://znuny.com/en/#!/advisory/ZSA-2017-03
CVE2017-16664

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent or customer permissions can use arbitrary HTTP parameters for the spell checker language to execute arbitrary code in the operating system with web server privileges. This can lead to serious problems such as privilege escalation, data loss, and denial of service.

The following versions are affected by the described vulnerability:

  • OTRS 3.3.1 up to including 3.3.19
  • OTRS 4.0.1 up to including 4.0.25
  • OTRS 5.0.1 up to including 5.0.23

Workaround

As a workaround, you can replace the affected files directly:

OTRS 5.x:

OTRS 4.x:

OTRS 3.3.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-02
Date2017-09-19
TitleAdministrative privileges for agents by uploading statistics
Severityhigh
ProductOTRS Help Desk 3.3.x up to including 6.0.beta1
Fixed inOTRS Help Desk 3.3.18, 4.0.25, 5.0.23, OTRS 6.0.beta2
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-02
CVE-

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent privileges and statistics privileges can use the statistics upload to upload arbitrary code into the system. This can lead to serious problems such as privilege extension, data loss and denial of service.

The vulnerability affects all versions of:

  • OTRS 3.3.1 up to including 3.3.17
  • OTRS 4.0.1 up to including 4.0.24
  • OTRS 5.0.1 up to including 5.0.22
  • OTRS 6.0.0beta1

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

OTRS 3.3.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-01
Date2017-05-30
TitleAdministrative privileges for agents by accessing the installer
Severityhigh
ProductOTRS Help Desk 3.1.1 up to including 5.0.19
Fixed inOTRS Help Desk 3.3.17, 4.0.24, 5.0.20
URLhttp://znuny.com/en/#!/advisory/ZSA-2017-01
CVE2017-9324

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent permission is capable by opening the URL „otrs/index.pl?XXXXXX“ (complete URL hidden for security reasons) in a browser to gain administrative privileges / full access. Afterwards all system settings can be read and changed.

The following versions are affected by the described vulnerability:

  • OTRS 3.1.1 up to including 3.3.16
  • OTRS 4.0.1 up to including 4.0.23
  • OTRS 5.0.1 up to including 5.0.19

Workaround

Alternative 1) for Znuny4OTRS user

Please update or install the add-on Znuny4OTRS-Repo to the following versions and restart your web server:

  • OTRS 3.x → Znuny4OTRS-Repo 3.3.1
  • OTRS 4.0.x → Znuny4OTRS-Repo 4.0.14
  • OTRS 5.0.x → Znuny4OTRS-Repo 5.0.25

The package Znuny4OTRS-Repo contains a configuration file which deregisters the affected frontend module. No other parts of OTRS are affected.


Alternative 2) for conventional setups without Znuny4OTRS-Repo

Deregister the affected frontend module by adding the following lines to your Kernel/Config.pm:

[...]
  # Fixed security issue - https://znuny.com/en/#!/advisory/ZSA-2017-01
  # big thanks to @jtvogt
  # http://forums.otterhub.org/viewtopic.php?f=62&t=35249
  delete $Self->{'Frontend::Module'}->{Installer};
[...]

Solution

Install a OTRS patch level update when it's available.

Download

It is recommend to perform the update of Znuny4OTRS-Repo by using the OTRS package manager. As an alternative the package can be downloaded by the following URLs:

  • OTRS 5.0.x → Znuny4OTRS-Repo 5.0.25 http://addons.znuny.com/api/addon_repos/public/615/latest
  • OTRS 4.0.x → Znuny4OTRS-Repo 4.0.14 http://addons.znuny.com/api/addon_repos/public/309/latest
  • OTRS 3.x → Znuny4OTRS-Repo 3.3.1 http://addons.znuny.com/api/addon_repos/public/142/latest

References

  • Vendor Advisory - https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
  • CVE - 2017-9324
  • Fund/full disclosure - http://forums.otterhub.org/viewtopic.php?f=62&t=35249
  • Thanks to Thomas Vogt - yourdata GmbH / (jtvogt) / otterhub.org

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2015-02
Date2015-09-29
TitleAffection of Proc::Daemon CVE-2013-7135
SeverityLow
ProductOTRS Help Desk 3.2.x, 3.3.x, 4.x
Fixed inOTRS Help Desk 3.2.18, 3.3.15, 4.0.13
URLhttp://znuny.com/en/#!/advisory/ZSA-2015-02
CVECVE-2015-6842

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid local user could use the vulnerability (described in CVE-2013-7135) of the Perl module "Proc::Daemon" to gain privileged scheduler logfile permissions.

Affected by this vulnerability are all releases of OTRS Help Desk 3.2.x up to and including 3.2.17, 3.3.x up to and including 3.3.14 and 4.x up to and including 4.0.12.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest patch level version.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2015-01
Date2015-09-29
Title"Privilege Escalation" vulnerability in Package iPhoneHandle
SeverityCritical
ProductiPhoneHandle 4.0.x (OTRS 4) iPhoneHandle 1.3.x (OTRS 3.3), iPhoneHandle 1.2.x (OTRS 3.2)
Fixed iniPhoneHandle 4.0.2 (OTRS 4), iPhoneHandle 1.3.3 (OTRS 3.3), iPhoneHandle 1.2.2 (OTRS 3.2)
URLhttp://znuny.com/en/#!/advisory/ZSA-2015-01
CVECVE-2015-6579

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with valid OTRS agent credentials and active iPhoneHandle could access and manipulate the database or SysConfig.

Affected by this vulnerability are all releases of the OTRS Package iPhoneHandle.

Fixes

This vulnerability is fixed in the iPhoneHandle package. We recommend to upgrade to the latest version via the package manager in the admin interface.

Workaround

Uninstall the iPhoneHandle package via the package manager in the admin interface.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-06
Date2014-12-16
TitleIncomplete Access Control
SeverityLow
ProductOTRS Help Desk 3.2.x, 3.3.x, 4.x;
Fixed inOTRS Help Desk 3.2.17, 3.3.11, 4.0.3
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-06
CVE2014-9324

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with valid OTRS credentials and via the Generic Interface (only if it is used and configured) could access and manipulate ticket data of other users.

Affected by this vulnerability are all releases of OTRS 3.2.x up to and including 3.2.16, 3.3.x up to and including 3.3.10 and 4.x up to and including 4.0.2.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 4.x:

OTRS 3.3.x:

OTRS 3.2.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-05
Date2014-04-02
TitleClickjacking issue
SeverityLow
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.21, 3.2.16, 3.3.6
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-05
CVE2014-2554

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could embed OTRS in a hidden <iframe> tag of another page, tricking the user into clicking links in OTRS.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.20, 3.2.x up to and including 3.2.15 and 3.3.x up to and including 3.3.5.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-04
Date2014-04-02
TitleXSS issue
SeverityLow
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.21, 3.2.16, 3.3.6
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-04
CVE2014-2553

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.20, 3.2.x up to and including 3.2.15 and 3.3.x up to and including 3.3.5.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-03
Date2014-03-03
TitleXSS attack via HTML-Email
SeverityLow
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.20, 3.2.15, 3.3.5
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-03
CVE2014-1695

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious JavaScript code by sending a prepared HTML email into OTRS.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.19, 3.2.x up to and including 3.2.14 and 3.3.x up to and including 3.3.4.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-02
Date2014-01-28
TitleSQL Injection with valid login
SeverityMedium
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.19, 3.2.14, 3.3.4
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-02
CVE2014-1471

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid login could manipulate URLs leading to SQL injection.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-01
Date2014-01-28
TitleXSS Issue in Customer-Interface
Severitymedium
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.19, 3.2.14, 3.3.4
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-01
CVE2014-1694
BugID10099

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could inject JavaScript code which would be executed by the browser of a user with valid customer login.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.14 and 3.3.x up to and including 3.3.3.

Fixes

This vulnerability is fixed in OTRS. We recommend to update to the new Versions.

Download

OTRS Releases:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2012-01
Date2012-08-17
TitleXSS attack in Internet Explorer possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.9, OTRS 3.0.15, OTRS 2.4.13 or by installing the addon package Znuny4OTRS-CVE-2012-2582
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-01
CVECVE-2012-2582
VUVU#582879

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, OTRS 3.0.x up to and including 3.0.14, as well as all 3.1.x versions up to and including 3.1.8.

Fixes

This vulnerability is not fixed in OTRS. We recommend to install the Znuny4OTRS-CVE-2012-2582 addon package.

Update 2012-08-23: In the meantime there is also a Software-Update available from the vendor, please see details.

Download

Workaround

As workaround you need to disable the rich text feature via SysConfig.

References

Demo

http://www.youtube.com/embed/vgTUN4yukdo

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2012-02
Date2012-08-30
TitleXSS attack in Firefox and Opera possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.10, OTRS 3.0.16, OTRS 2.4.14
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-02
CVECVE-2012-4600
VUVU#511404

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.9.

Fixes

This vulnerability is fixed in OTRS (release of OTRS 3.1.10, OTRS 3.0.16 and OTRS 2.4.14 will be published on 30 Aug 2012).

Download

Workaround I

As workaround you need to disable the rich text feature via SysConfig.

Workaround II

As workaround it is also possible to replace the following files with the fixed version:

OTRS 3.1.x:

OTRS 3.0.x:

OTRS 2.4.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2012-03
Date2012-10-16
TitleXSS attack in Firefox and Opera possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.11, OTRS 3.0.17, OTRS 2.4.15
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-03
CVECVE-2012-4751
VUVU#603276

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.14, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.10.

Fixes

This vulnerability is fixed in OTRS (release of OTRS 3.1.11, OTRS 3.0.17 and OTRS 2.4.15 will be published on 16 Oct 2012).

Download

Workaround I

As workaround you can disable the rich text feature via SysConfig.

Workaround II

As workaround it is also possible to replace the following files with the fixed version:

OTRS 3.1.x:

OTRS 3.0.x:

OTRS 2.4.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-01
Date2013-04-03
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS 3.0.x, 3.1.x, 3.2.x; OTRS ITSM 3.0.x, 3.1.x, 3.2.x; FAQ 2.0.x, 2.1.x, 2.2.x
Fixed inOTRS Help Desk 3.0.19, 3.1.14, 3.2.4; OTRS ITSM 3.2.4, 3.1.8, 3.0.7; FAQ 2.2.3, 2.1.4, 2.0.8
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-01
CVECVE-2013-2625

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs in the object linking mechanism to see titles of tickets and other objects that are not obliged to be seen. Furthermore, links to objects without permission can be placed and removed.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.18, 3.1.x up to and including 3.1.13 and 3.2.x up to and including 3.2.3, as well as OTRS ITSM 3.0.x up to and including 3.0.6, 3.1.x up to and including 3.1.7 and 3.2.x up to and including 3.2.3, as well as FAQ 2.0.x up to and including 2.0.7, 2.1.x up to and including 2.1.3 and 2.2.x up to and including 2.2.2.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

  • Kernel/Modules/AgentLinkObject.pm
  • Kernel/System/LinkObject.pm
  • Kernel/System/LinkObject/Ticket.pm

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-02
Date2013-04-03
TitleXSS vulnerability
SeverityLow
ProductOTRS ITSM 3.2.x, OTRS ITSM 3.1.x, OTRS ITSM 3.0.x, FAQ 2.1.x, FAQ 2.0.x
Fixed inOTRS ITSM 3.2.4, 3.1.8, 3.0.7; FAQ 2.1.4, 2.0.8
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-02
CVECVE-2013-2637

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login and with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.

Affected by this vulnerability are all releases of OTRS ITSM 3.0.x up to and including 3.0.6, 3.1.x up to and including 3.1.7 and 3.2.x up to and including 3.2.3 as well as FAQ 2.0.x up to and including 2.0.7 and 2.1.x up to and including 2.1.3.

Fixes

This vulnerability is fixed in OTRS. We recommend to update to the new Versions.

Download

Just Update the OPM Packages via the Packet Manager.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-03
Date2013-06-03
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS Help Desk 3.0.x, 3.1.x, 3.2.x; OTRS ITSM 3.0.x, 3.1.x, 3.2.x;
Fixed inOTRS Help Desk 3.0.20, 3.1.16, 3.2.7; OTRS ITSM 3.2.5, 3.1.9, 3.0.8;
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-03
CVECVE-2013-3551

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets that are not obliged to be seen.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.19, 3.1.x up to and including 3.1.15 and 3.2.x up to and including 3.2.6, as well as OTRS ITSM 3.0.x up to and including 3.0.7, 3.1.x up to and including 3.1.8 and 3.2.x up to and including 3.2.4.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

  • Kernel/Modules/AgentTicketPhone.pm

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-04
Date2013-06-18
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS Help Desk 3.0.x, 3.1.x, 3.2.x
Fixed inOTRS Help Desk 3.0.21, 3.1.17, 3.2.8
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-04
CVECVE-2013-4088

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets that are not obliged to be seen.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.20, 3.1.x up to and including 3.1.16 and 3.2.x up to and including 3.2.7.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-05
Date2013-07-09
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS Help Desk 3.0.x, 3.1.x, 3.2.x; OTRS ITSM 3.0.x, 3.1.x, 3.2.x;
Fixed inOTRS Help Desk 3.0.22, 3.1.18, 3.2.9; OTRS ITSM 3.2.7, 3.1.10, 3.0.9;
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-05
CVECVE-2013-4717/4718

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.21, 3.1.x up to and including 3.1.17 and 3.2.x up to and including 3.2.8, as well as OTRS ITSM 3.0.x up to and including 3.0.8, 3.1.x up to and including 3.1.9 and 3.2.x up to and including 3.2.6.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2018-03
Date2018-07-31
TitlePrivilege escalation by HTML form parameter
SeverityHigh
ProductOTRS Help Desk 4.0.x up to including 6.0.9
Fixed inOTRS Help Desk 4.0.31, 5.0.29, 6.0.10
URLhttps://znuny.com/de/#!/advisory/ZSA-2018-03
CVECVE-2018-14593

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker is able to change unprotected agent and customer user attributes by using modified request.

The following versions are affected by the described vulnerability:

  • OTRS 4.0.1 up to including 4.0.30
  • OTRS 5.0.1 up to including 5.0.28
  • OTRS 6.0.1 up to including 6.0.9

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2018-02
Date2018-06-12
TitleCode injection in the customer user ticket view.
Severitymittel
ProductOTRS Help Desk 6.0.x bis und einschliesslich 6.0.7
Fixed inOTRS Help Desk 6.0.7
URLhttps://znuny.com/de/#!/advisory/ZSA-2018-02
CVECVE-2018-11563

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacket is able to execute malicous code if a customer user changes the window size. The code is injected by special article content.

The following versions are affected by the described vulnerability:

  • OTRS 6.0.1 up to including 6.0.7

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

Solution

Upgrade to the latest available OTRS path level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2018-01
Date2018-05-04
TitleInformation Exposure of article details in the customer ticket overview
Severitymedium
ProductOTRS Help Desk 6.0.x up to including 6.0.6
Fixed inOTRS Help Desk 6.0.7
URLhttps://znuny.com/en/#!/advisory/ZSA-2018-01
CVE-

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker who is logged in as a customer in OTRS can use the ticket overview to view internal article information of his customer tickets.

The following versions are affected by the described vulnerability:

  • OTRS 6.0.1 up to including 6.0.6

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-06
Date2017-12-19
TitlePrivilege escalation by session hijacking
Severityhigh
ProductOTRS Help Desk 4.0.x up to including 6.0.2
Fixed inOTRS Help Desk 4.0.28, 5.0.26, 6.0.3
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-06
CVE-

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could, through a vulnerability in the processing of emails, take over the session from agents who click on a special link from an incoming email.

The following versions are affected by the described vulnerability:

  • OTRS 4.0.1 up to including 4.0.27
  • OTRS 5.0.1 up to including 5.0.25
  • OTRS 6.0.1 up to including 6.0.2

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-05
Date2017-12-05
TitleRemote Code Execution for agents when PGP is used
Severityhigh
ProductOTRS Help Desk 3.3.x up to including 6.0.1
Fixed inOTRS Help Desk 4.0.27, 5.0.25, 6.0.2
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-05
CVE2017-16921

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent permission can use modified form parameters to execute arbitrary code in the operating system with web server permissions.

The following versions are affected by the described vulnerability:

  • OTRS 3.3.1 up to including 3.3.20
  • OTRS 4.0.1 up to including 4.0.26
  • OTRS 5.0.1 up to including 5.0.24
  • OTRS 6.0.1

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-04
Date2017-12-05
TitleInformation Disclosure in the customer interface when using the ticket search
Severitymedium
ProductOTRS Help Desk 3.3.x up to including 6.0.1
Fixed inOTRS Help Desk 4.0.27, 5.0.25, 6.0.2
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-04
CVE2017-16854

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with customer permission can use the ticket search in the customer interface to access information from internal articles.

The following versions are affected by the described vulnerability:

  • OTRS 3.3.1 up to including 3.3.20
  • OTRS 4.0.1 up to including 4.0.26
  • OTRS 5.0.1 up to including 5.0.24
  • OTRS 6.0.1

Workaround

As a workaround the affected file can be replaced:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-03
Date2017-11-21
TitleRemote Code Execution with webserver permissions
Severityhigh
ProductOTRS Help Desk 3.3.x up to including 5.0.23
Fixed inOTRS Help Desk 3.3.20, 4.0.26, 5.0.24
URLhttp://znuny.com/en/#!/advisory/ZSA-2017-03
CVE2017-16664

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent or customer permissions can use arbitrary HTTP parameters for the spell checker language to execute arbitrary code in the operating system with web server privileges. This can lead to serious problems such as privilege escalation, data loss, and denial of service.

The following versions are affected by the described vulnerability:

  • OTRS 3.3.1 up to including 3.3.19
  • OTRS 4.0.1 up to including 4.0.25
  • OTRS 5.0.1 up to including 5.0.23

Workaround

As a workaround, you can replace the affected files directly:

OTRS 5.x:

OTRS 4.x:

OTRS 3.3.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-02
Date2017-09-19
TitleAdministrative privileges for agents by uploading statistics
Severityhigh
ProductOTRS Help Desk 3.3.x up to including 6.0.beta1
Fixed inOTRS Help Desk 3.3.18, 4.0.25, 5.0.23, OTRS 6.0.beta2
URLhttps://znuny.com/en/#!/advisory/ZSA-2017-02
CVE-

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent privileges and statistics privileges can use the statistics upload to upload arbitrary code into the system. This can lead to serious problems such as privilege extension, data loss and denial of service.

The vulnerability affects all versions of:

  • OTRS 3.3.1 up to including 3.3.17
  • OTRS 4.0.1 up to including 4.0.24
  • OTRS 5.0.1 up to including 5.0.22
  • OTRS 6.0.0beta1

Workaround

As a workaround, you can replace the affected files directly:

OTRS 6.x:

OTRS 5.x:

OTRS 4.x:

OTRS 3.3.x:

Solution

Upgrade to the latest available OTRS patch level.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2017-01
Date2017-05-30
TitleAdministrative privileges for agents by accessing the installer
Severityhigh
ProductOTRS Help Desk 3.1.1 up to including 5.0.19
Fixed inOTRS Help Desk 3.3.17, 4.0.24, 5.0.20
URLhttp://znuny.com/en/#!/advisory/ZSA-2017-01
CVE2017-9324

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with agent permission is capable by opening the URL „otrs/index.pl?XXXXXX“ (complete URL hidden for security reasons) in a browser to gain administrative privileges / full access. Afterwards all system settings can be read and changed.

The following versions are affected by the described vulnerability:

  • OTRS 3.1.1 up to including 3.3.16
  • OTRS 4.0.1 up to including 4.0.23
  • OTRS 5.0.1 up to including 5.0.19

Workaround

Alternative 1) for Znuny4OTRS user

Please update or install the add-on Znuny4OTRS-Repo to the following versions and restart your web server:

  • OTRS 3.x → Znuny4OTRS-Repo 3.3.1
  • OTRS 4.0.x → Znuny4OTRS-Repo 4.0.14
  • OTRS 5.0.x → Znuny4OTRS-Repo 5.0.25

The package Znuny4OTRS-Repo contains a configuration file which deregisters the affected frontend module. No other parts of OTRS are affected.


Alternative 2) for conventional setups without Znuny4OTRS-Repo

Deregister the affected frontend module by adding the following lines to your Kernel/Config.pm:

[...]
  # Fixed security issue - https://znuny.com/en/#!/advisory/ZSA-2017-01
  # big thanks to @jtvogt
  # http://forums.otterhub.org/viewtopic.php?f=62&t=35249
  delete $Self->{'Frontend::Module'}->{Installer};
[...]

Solution

Install a OTRS patch level update when it's available.

Download

It is recommend to perform the update of Znuny4OTRS-Repo by using the OTRS package manager. As an alternative the package can be downloaded by the following URLs:

  • OTRS 5.0.x → Znuny4OTRS-Repo 5.0.25 http://addons.znuny.com/api/addon_repos/public/615/latest
  • OTRS 4.0.x → Znuny4OTRS-Repo 4.0.14 http://addons.znuny.com/api/addon_repos/public/309/latest
  • OTRS 3.x → Znuny4OTRS-Repo 3.3.1 http://addons.znuny.com/api/addon_repos/public/142/latest

References

  • Vendor Advisory - https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
  • CVE - 2017-9324
  • Fund/full disclosure - http://forums.otterhub.org/viewtopic.php?f=62&t=35249
  • Thanks to Thomas Vogt - yourdata GmbH / (jtvogt) / otterhub.org

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2015-02
Date2015-09-29
TitleAffection of Proc::Daemon CVE-2013-7135
SeverityLow
ProductOTRS Help Desk 3.2.x, 3.3.x, 4.x
Fixed inOTRS Help Desk 3.2.18, 3.3.15, 4.0.13
URLhttp://znuny.com/en/#!/advisory/ZSA-2015-02
CVECVE-2015-6842

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid local user could use the vulnerability (described in CVE-2013-7135) of the Perl module "Proc::Daemon" to gain privileged scheduler logfile permissions.

Affected by this vulnerability are all releases of OTRS Help Desk 3.2.x up to and including 3.2.17, 3.3.x up to and including 3.3.14 and 4.x up to and including 4.0.12.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest patch level version.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2015-01
Date2015-09-29
Title"Privilege Escalation" vulnerability in Package iPhoneHandle
SeverityCritical
ProductiPhoneHandle 4.0.x (OTRS 4) iPhoneHandle 1.3.x (OTRS 3.3), iPhoneHandle 1.2.x (OTRS 3.2)
Fixed iniPhoneHandle 4.0.2 (OTRS 4), iPhoneHandle 1.3.3 (OTRS 3.3), iPhoneHandle 1.2.2 (OTRS 3.2)
URLhttp://znuny.com/en/#!/advisory/ZSA-2015-01
CVECVE-2015-6579

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with valid OTRS agent credentials and active iPhoneHandle could access and manipulate the database or SysConfig.

Affected by this vulnerability are all releases of the OTRS Package iPhoneHandle.

Fixes

This vulnerability is fixed in the iPhoneHandle package. We recommend to upgrade to the latest version via the package manager in the admin interface.

Workaround

Uninstall the iPhoneHandle package via the package manager in the admin interface.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-06
Date2014-12-16
TitleIncomplete Access Control
SeverityLow
ProductOTRS Help Desk 3.2.x, 3.3.x, 4.x;
Fixed inOTRS Help Desk 3.2.17, 3.3.11, 4.0.3
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-06
CVE2014-9324

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with valid OTRS credentials and via the Generic Interface (only if it is used and configured) could access and manipulate ticket data of other users.

Affected by this vulnerability are all releases of OTRS 3.2.x up to and including 3.2.16, 3.3.x up to and including 3.3.10 and 4.x up to and including 4.0.2.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 4.x:

OTRS 3.3.x:

OTRS 3.2.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-05
Date2014-04-02
TitleClickjacking issue
SeverityLow
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.21, 3.2.16, 3.3.6
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-05
CVE2014-2554

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could embed OTRS in a hidden <iframe> tag of another page, tricking the user into clicking links in OTRS.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.20, 3.2.x up to and including 3.2.15 and 3.3.x up to and including 3.3.5.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-04
Date2014-04-02
TitleXSS issue
SeverityLow
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.21, 3.2.16, 3.3.6
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-04
CVE2014-2553

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.20, 3.2.x up to and including 3.2.15 and 3.3.x up to and including 3.3.5.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-03
Date2014-03-03
TitleXSS attack via HTML-Email
SeverityLow
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.20, 3.2.15, 3.3.5
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-03
CVE2014-1695

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious JavaScript code by sending a prepared HTML email into OTRS.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.19, 3.2.x up to and including 3.2.14 and 3.3.x up to and including 3.3.4.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-02
Date2014-01-28
TitleSQL Injection with valid login
SeverityMedium
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.19, 3.2.14, 3.3.4
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-02
CVE2014-1471

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid login could manipulate URLs leading to SQL injection.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2014-01
Date2014-01-28
TitleXSS Issue in Customer-Interface
Severitymedium
ProductOTRS Help Desk 3.1.x, 3.2.x, 3.3.x;
Fixed inOTRS Help Desk 3.1.19, 3.2.14, 3.3.4
URLhttp://znuny.com/en/ #!/advisory/ZSA-2014-01
CVE2014-1694
BugID10099

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could inject JavaScript code which would be executed by the browser of a user with valid customer login.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.14 and 3.3.x up to and including 3.3.3.

Fixes

This vulnerability is fixed in OTRS. We recommend to update to the new Versions.

Download

OTRS Releases:

Workaround

As workaround you may update the affected files directly:

OTRS 3.3.x:

OTRS 3.2.x:

OTRS 3.1.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2012-01
Date2012-08-17
TitleXSS attack in Internet Explorer possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.9, OTRS 3.0.15, OTRS 2.4.13 or by installing the addon package Znuny4OTRS-CVE-2012-2582
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-01
CVECVE-2012-2582
VUVU#582879

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, OTRS 3.0.x up to and including 3.0.14, as well as all 3.1.x versions up to and including 3.1.8.

Fixes

This vulnerability is not fixed in OTRS. We recommend to install the Znuny4OTRS-CVE-2012-2582 addon package.

Update 2012-08-23: In the meantime there is also a Software-Update available from the vendor, please see details.

Download

Workaround

As workaround you need to disable the rich text feature via SysConfig.

References

Demo

http://www.youtube.com/embed/vgTUN4yukdo

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2012-02
Date2012-08-30
TitleXSS attack in Firefox and Opera possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.10, OTRS 3.0.16, OTRS 2.4.14
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-02
CVECVE-2012-4600
VUVU#511404

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.9.

Fixes

This vulnerability is fixed in OTRS (release of OTRS 3.1.10, OTRS 3.0.16 and OTRS 2.4.14 will be published on 30 Aug 2012).

Download

Workaround I

As workaround you need to disable the rich text feature via SysConfig.

Workaround II

As workaround it is also possible to replace the following files with the fixed version:

OTRS 3.1.x:

OTRS 3.0.x:

OTRS 2.4.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2012-03
Date2012-10-16
TitleXSS attack in Firefox and Opera possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.11, OTRS 3.0.17, OTRS 2.4.15
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-03
CVECVE-2012-4751
VUVU#603276

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.14, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.10.

Fixes

This vulnerability is fixed in OTRS (release of OTRS 3.1.11, OTRS 3.0.17 and OTRS 2.4.15 will be published on 16 Oct 2012).

Download

Workaround I

As workaround you can disable the rich text feature via SysConfig.

Workaround II

As workaround it is also possible to replace the following files with the fixed version:

OTRS 3.1.x:

OTRS 3.0.x:

OTRS 2.4.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-01
Date2013-04-03
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS 3.0.x, 3.1.x, 3.2.x; OTRS ITSM 3.0.x, 3.1.x, 3.2.x; FAQ 2.0.x, 2.1.x, 2.2.x
Fixed inOTRS Help Desk 3.0.19, 3.1.14, 3.2.4; OTRS ITSM 3.2.4, 3.1.8, 3.0.7; FAQ 2.2.3, 2.1.4, 2.0.8
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-01
CVECVE-2013-2625

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs in the object linking mechanism to see titles of tickets and other objects that are not obliged to be seen. Furthermore, links to objects without permission can be placed and removed.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.18, 3.1.x up to and including 3.1.13 and 3.2.x up to and including 3.2.3, as well as OTRS ITSM 3.0.x up to and including 3.0.6, 3.1.x up to and including 3.1.7 and 3.2.x up to and including 3.2.3, as well as FAQ 2.0.x up to and including 2.0.7, 2.1.x up to and including 2.1.3 and 2.2.x up to and including 2.2.2.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

  • Kernel/Modules/AgentLinkObject.pm
  • Kernel/System/LinkObject.pm
  • Kernel/System/LinkObject/Ticket.pm

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-02
Date2013-04-03
TitleXSS vulnerability
SeverityLow
ProductOTRS ITSM 3.2.x, OTRS ITSM 3.1.x, OTRS ITSM 3.0.x, FAQ 2.1.x, FAQ 2.0.x
Fixed inOTRS ITSM 3.2.4, 3.1.8, 3.0.7; FAQ 2.1.4, 2.0.8
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-02
CVECVE-2013-2637

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login and with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.

Affected by this vulnerability are all releases of OTRS ITSM 3.0.x up to and including 3.0.6, 3.1.x up to and including 3.1.7 and 3.2.x up to and including 3.2.3 as well as FAQ 2.0.x up to and including 2.0.7 and 2.1.x up to and including 2.1.3.

Fixes

This vulnerability is fixed in OTRS. We recommend to update to the new Versions.

Download

Just Update the OPM Packages via the Packet Manager.

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-03
Date2013-06-03
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS Help Desk 3.0.x, 3.1.x, 3.2.x; OTRS ITSM 3.0.x, 3.1.x, 3.2.x;
Fixed inOTRS Help Desk 3.0.20, 3.1.16, 3.2.7; OTRS ITSM 3.2.5, 3.1.9, 3.0.8;
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-03
CVECVE-2013-3551

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets that are not obliged to be seen.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.19, 3.1.x up to and including 3.1.15 and 3.2.x up to and including 3.2.6, as well as OTRS ITSM 3.0.x up to and including 3.0.7, 3.1.x up to and including 3.1.8 and 3.2.x up to and including 3.2.4.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

  • Kernel/Modules/AgentTicketPhone.pm

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-04
Date2013-06-18
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS Help Desk 3.0.x, 3.1.x, 3.2.x
Fixed inOTRS Help Desk 3.0.21, 3.1.17, 3.2.8
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-04
CVECVE-2013-4088

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets that are not obliged to be seen.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.20, 3.1.x up to and including 3.1.16 and 3.2.x up to and including 3.2.7.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.

Details

IDZSA-2013-05
Date2013-07-09
TitleInformation disclosure and Data manipulation
SeverityMedium
ProductOTRS Help Desk 3.0.x, 3.1.x, 3.2.x; OTRS ITSM 3.0.x, 3.1.x, 3.2.x;
Fixed inOTRS Help Desk 3.0.22, 3.1.18, 3.2.9; OTRS ITSM 3.2.7, 3.1.10, 3.0.9;
URLhttp://znuny.com/en/ #!/advisory/ZSA-2013-05
CVECVE-2013-4717/4718

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.21, 3.1.x up to and including 3.1.17 and 3.2.x up to and including 3.2.8, as well as OTRS ITSM 3.0.x up to and including 3.0.8, 3.1.x up to and including 3.1.9 and 3.2.x up to and including 3.2.6.

Fixes

This vulnerability is fixed in OTRS. We recommend to upgrade to the latest Version.

Download

OTRS Release:

OPM Packages:

Just Update the OPM Packages via the Packet Manager.

Workaround

As workaround you may update the affected files directly:

OTRS 3.2.x:

OTRS 3.1.x:

OTRS 3.0.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.