CVE-2019-12497

NameCVE-2019-12497
DescriptionAn issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1816-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)buster/non-free6.0.16-2vulnerable
bullseye/non-free, sid/non-free6.0.28-2fixed
stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)6.0.19-1
otrs2sourcejessie3.3.18-1+deb8u10DLA-1816-1

Notes

[buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-09-security-update-for-otrs-framework/
OTRS 6: https://github.com/OTRS/otrs/commit/f8bcf08dfc5f06915c1352c07e5f626f9b5ecfc2
OTRS 5: https://github.com/OTRS/otrs/commit/d4cc3f0e24937fa53870132003aec6af460b9b57

Search for package or bug name: Reporting problems