Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                           otrs2 security update
                              31 August 2023


        AusCERT Security Bulletin Summary

Product:           otrs2
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-38060 CVE-2022-4427 CVE-2021-41184
                   CVE-2021-41183 CVE-2021-41182 CVE-2021-36100
                   CVE-2021-36091 CVE-2021-21443 CVE-2021-21441
                   CVE-2021-21440 CVE-2021-21439 CVE-2021-21252
                   CVE-2020-11023 CVE-2020-11022 CVE-2020-1776
                   CVE-2020-1774 CVE-2020-1773 CVE-2020-1772
                   CVE-2020-1771 CVE-2020-1770 CVE-2020-1769
                   CVE-2020-1767 CVE-2020-1766 CVE-2020-1765
                   CVE-2019-18180 CVE-2019-18179 CVE-2019-16375
                   CVE-2019-13458 CVE-2019-12746 CVE-2019-12497
                   CVE-2019-12248 CVE-2019-11358 

Original Bulletin: 

Comment: CVSS (Max):  9.8 CVE-2022-4427 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: [NIST], GitHub
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3551-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
August 31, 2023                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : otrs2
Version        : 6.0.16-2+deb10u1
CVE ID         : CVE-2019-11358 CVE-2019-12248 CVE-2019-12497 CVE-2019-12746
                 CVE-2019-13458 CVE-2019-16375 CVE-2019-18179 CVE-2019-18180
                 CVE-2020-1765 CVE-2020-1766 CVE-2020-1767 CVE-2020-1769
                 CVE-2020-1770 CVE-2020-1771 CVE-2020-1772 CVE-2020-1773
                 CVE-2020-1774 CVE-2020-1776 CVE-2020-11022 CVE-2020-11023
                 CVE-2021-21252 CVE-2021-21439 CVE-2021-21440 CVE-2021-21441
                 CVE-2021-21443 CVE-2021-36091 CVE-2021-36100 CVE-2021-41182
                 CVE-2021-41183 CVE-2021-41184 CVE-2022-4427 CVE-2023-38060
Debian Bug     : 945251 959448 980891 989992 991593

Multiple vulnerabilities were found in otrs2, the Open-Source Ticket
Request System, which could lead to impersonation, denial of service,
information disclosure, or execution of arbitrary code.


    A Prototype Pollution vulnerability was discovered in OTRS' embedded
    jQuery 3.2.1 copy, which could allow sending drafted messages as
    wrong agent.

    This vulnerability is also known as OSA-2020-05.


    Matthias Terlinde discovered that when an attacker sends a malicious
    email to an OTRS system and a logged in agent user later quotes it,
    the email could cause the browser to load external image resources.

    A new configuration setting =E2=80=98Ticket::Frontend::BlockLoadingRemo=
    has been added as part of the fix.  It controls whether external
    content should be loaded, and it is disabled by default.

    This vulnerability is also known as OSA-2019-08.


    Jens Meister discovered that in the customer or external frontend,
    personal information of agents, like Name and mail address in
    external notes, could be disclosed.

    New configuration settings =E2=80=98Ticket::Frontend::CustomerTicketZoo=
    has been added as part of the fix.  It controls if agent information
    should be displayed in external note sender field, or be substituted
    with a different generic name.  Another option named
=99 can then
    be used to define the generic agent name used in the latter case.
    By default, previous behavior is preserved, in which agent
    information is divulged in the external note From field, for the
    sake of backwards compatibility.

    This vulnerability is also known as OSA-2019-09.


    A user logged into OTRS as an agent might unknowingly disclose their
    session ID by sharing the link of an embedded ticket article with
    third parties.  This identifier can be then potentially abused in
    order to impersonate the agent user.

    This vulnerability is also known as OSA-2019-10.


    An attacker who is logged into OTRS as an agent user with
    appropriate permissions can leverage OTRS tags in templates in order
    to disclose hashed user passwords.

    This vulnerability is also known as OSA-2019-12.


    An attacker who is logged into OTRS as an agent or customer user
    with appropriate permissions can create a carefully crafted string
    containing malicious JavaScript code as an article body.  This
    malicious code is executed when an agent compose an answer to the
    original article.

    This vulnerability is also known as OSA-2019-13.


    An attacker who is logged into OTRS as an agent is able to list
    tickets assigned to other agents, which are in the queue where
    attacker doesn't have permissions.

    This vulnerability is also known as OSA-2019-14.


    OTRS can be put into an endless loop by providing filenames with
    overly long extensions.  This applies to the PostMaster (sending in
    email) and also upload (attaching files to mails, for example).

    This vulnerability is also known as OSA-2019-15.


    Sebastian Renker and Jonas Becker discovered an improper control of
    parameters, which allows the spoofing of the From fields in several
    screens, namely AgentTicketCompose, AgentTicketForward,
    AgentTicketBounce and AgentTicketEmailOutbound.

    This vulnerability is also known as OSA-2020-01.


    Anton Astaf'ev discovered that due to improper handling of uploaded
    images, it is possible =E2=80=94 in very unlikely and rare conditions =
=E2=80=94 to
    force the agents browser to execute malicious JavaScript from a
    special crafted SVG file rendered as inline jpg file.

    This vulnerability is also known as OSA-2020-02.


    Agent A is able to save a draft (i.e., for customer reply).  Then
    Agent B can open the draft, change the text completely and send it
    in the name of Agent A.  For the customer it will not be visible
    that the message was sent by another agent.

    This vulnerability is also known as OSA-2020-03.


    Martin M=C3=B8ller discovered that in the login screens (in agent and
    customer interface), Username and Password fields use autocomplete,
    which might be considered as security issue.

    A new configuration setting =E2=80=98DisableLoginAutocomplete=E2=80=99 =
has been
    added as part of the fix.  It controls whether to disable
    autocompletion in the login forms, by setting the
    autocomplete=3D"off" attribute to the login input fields.  Note that
    some browsers ignore it by default (usually it can be changed in the
    browser configuration).

    This vulnerability is also known as OSA-2020-06.


    Matthias Terlinde discovered that the support bundle generated files
    could contain sensitive information, such as user credentials.

    This vulnerability is also known as OSA-2020-07.


    Christoph Wuetschne discovered that an attacker is able craft an
    article with a link to the customer address book with malicious
    content (JavaScript).  When agent opens the link, JavaScript code is
    executed due to the missing parameter encoding.

    This vulnerability is also known as OSA-2020-08.


    Fabian Henneke discovered that it is possible to craft Lost Password
    requests with wildcards in the Token value, which allows an attacker
    to retrieve valid Token(s), generated by users which already
    requested new passwords.

    This vulnerability is also known as OSA-2020-09.


    Fabian Henneke discovered that an attacker with the ability to
    generate session IDs or password reset tokens, either by being able
    to authenticate or by exploiting CVE-2020-1772, may be able to
    predict other users session IDs, password reset tokens and
    automatically generated passwords.

    The fix adds =E2=80=98libmath-random-secure-perl=E2=80=99 to otrs2's De=

    This vulnerability is also known as OSA-2020-10.


    When a user downloads PGP or S/MIME keys/certificates, exported file
    has same name for private and public keys.  It is therefore possible
    to mix them and to send private key to the third-party instead of
    public key.

    This vulnerability is also known as OSA-2020-11.


    When an agent user is renamed or set to invalid the session
    belonging to the user is keept active.  The session can not be used
    to access ticket data in the case the agent is invalid.

    This vulnerability is also known as OSA-2020-13.


    Masato Kinugawa discovered a Potential XSS vulnerability in OTRS'
    embedded jQuery 3.2.1's htmlPrefilter and related methods.

    The fix requires patching embedded copies of fullcalendar (3.4.0),
    fullcalendar-scheduler (1.6.2) and spectrum (1.8.0).

    This vulnerability is also known as OSA-2020-14.


    Masato Kinugawa discovered a Potential XSS vulnerability in OTRS'
    embedded jQuery 3.2.1 copy when appending HTML containing option

    This vulnerability is also known as OSA-2020-14.


    Erik Krogh Kristensen and Alvaro Mu=C3=B1oz from the GitHub Security Lab
    team discovered a Regular Expression Denial of Service (ReDoS)
    vulnerability in OTRS' embedded jQuery-validate 1.16.0 copy.


    A Denial of Service (DoS) attack can be performed when an email
    contains specially designed URL in the body.  It can lead to the
    high CPU usage and cause low quality of service, or in extreme case
    bring the system to a halt.

    This vulnerability is also known as OSA-2021-09 or ZSA-2021-03.


    Julian Droste and Mathias Terlinde discovered that the Generated
    Support Bundles contains private S/MIME and PGP keys when the parent
    directory is not hidden.  Furthermore, secrets and PIN for the keys
    are not masked properly.

    This vulnerability is also known as OSA-2021-10 or ZSA-2021-08.


    There is a Cross-Site Scripting (XSS) vulnerability in the ticket
    overview screens.  It is possible to collect various information by
    having an e-mail shown in the overview screen.  An attack can be
    performed by sending specially crafted e-mail to the system, which
    does not require any user interaction.

    This vulnerability is also known as OSA-2021-11 or ZSA-2021-06.


    Agents are able to list customer user emails without required
    permissions in the bulk action screen.

    This vulnerability is also known as OSA-2021-13 or ZSA-2021-09.


    Agents are able to list appointments in the calendars without
    required permissions.

    This vulnerability is also known as OSA-2021-14 or ZSA-2021-10.


    Rayhan Ahmed and Maxime Brigaudeau discovered that a specially
    crafted string in the system configuration allows execution of
    arbitrary system command.

    The fix 1/ removes configurable system commands from generic agents;
    2/ removes the =E2=80=98MIME-Viewer###=E2=80=A6=E2=80=99 settings (the =
system command in
    SysConfig option "MIME-Viewer" is now only configurable via
    Kernel/Config.pm); 3/ removes dashboard widget support for execution
    of system commands; and 4/ deactivates support for execution of
    configurable system commands from Sendmail and PostMaster pre-filter

    This vulnerability is also known as OSA-2022-03 or ZSA-2022-02.


    Esben Sparre Andreasen discovered an XSS vulnerability in the
    `altField` option of the Datepicker widget in OTRS' embedded
    jQuery-UI 1.12.1 copy.

    This vulnerability is also known as ZSA-2022-01.


    Esben Sparre Andreasen discovered an XSS vulnerability in the
    `*Text` options of the Datepicker widget in OTRS' embedded jQuery-UI
    1.12.1 copy.

    This vulnerability is also known as ZSA-2022-01.


    Esben Sparre Andreasen discovered an XSS vulnerability in the `of`
    option of the `.position()` util in OTRS' embedded jQuery-UI 1.12.1

    This vulnerability is also known as ZSA-2022-01.


    Tim P=C3=BCttmanns discovered an SQL injection vulnerability in
    Kernel::System::Ticket::TicketSearch, which can be exploited using
    the web service operation "TicketSearch".

    This vulnerability is also known as ZSA-2022-07.


    Tim P=C3=BCttmanns discovered an Improper Input Validation vulnerability
    in the ContentType parameter for attachments on TicketCreate or
    TicketUpdate operations.

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --VDF94richAR/cCYZ
Content-Type: application/pgp-signature; name="signature.asc"



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/