DescriptionIn the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)buster/non-free6.0.16-2fixed
bullseye/non-free, sid/non-free6.0.30-1fixed
stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Root cause for the issue is the recursive parsing handling in the old
DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4
OTRS switched to a new Template::Toolkit based engine which does not perform
recursive parsing and not affected by this issue.

Search for package or bug name: Reporting problems