CVE-2019-12746

NameCVE-2019-12746
DescriptionAn issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1877-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free6.0.16-2vulnerable
bullseye/non-free, sid/non-free6.0.23-2fixed
jessie3.3.18-1+deb8u4vulnerable
jessie (security)3.3.18-1+deb8u11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)6.0.20-1medium
otrs2sourcejessie3.3.18-1+deb8u11mediumDLA-1877-1

Notes

[buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/
OTRS 6: https://github.com/OTRS/otrs/commit/fab16a8e54aaf033f460e5f98c673248f29ea49c
OTRS 6: https://github.com/OTRS/otrs/commit/cc08cb7df9f6dde05de2f8c6cbd59cd5d0952627
OTRS 5: https://github.com/OTRS/otrs/commit/7ab33e51a4db9f712e979040f644d0d0c39ff0af

Search for package or bug name: Reporting problems