VulnerableCode Package Details - pkg:deb/ubuntu/otrs2@6.0.25-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-tv97-anfg-aaam Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq	jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.	6.0.26-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tv97-anfg-aaam
Aliases:
CVE-2019-11358
GHSA-6c3j-c64m-qhgq

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

6.0.26-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-22fm-yj4j-aaas	Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.	CVE-2020-1767
VCID-m2b8-zu9e-aaan	Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.	CVE-2020-1766
VCID-wda8-cepu-aaap	An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.	CVE-2020-1765

Vulnerability

Summary

Aliases

VCID-22fm-yj4j-aaas

Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

CVE-2020-1767

VCID-m2b8-zu9e-aaan

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

CVE-2020-1766

VCID-wda8-cepu-aaap

An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

CVE-2020-1765

Next non-vulnerable version	6.0.26-1
Latest non-vulnerable version	6.0.26-1
Risk	10.0