Debian Security Advisory
DLA-1816-1 otrs2 -- LTS security update
- Date Reported:
- 11 Jun 2019
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2019-12248, CVE-2019-12497.
- More information:
Two security vulnerabilities were discovered in the Open Ticket Request System that could lead to information disclosure or privilege escalation. New configuration options were added to resolve those problems.
An attacker could send a malicious email to an OTRS system. If a logged in agent user quotes it, the email could cause the browser to load external image resources.
In the customer or external frontend, personal information of agents can be disclosed like Name and mail address in external notes.
For Debian 8
Jessie, these problems have been fixed in version 3.3.18-1+deb8u10.
We recommend that you upgrade your otrs2 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS