Update Info

openSUSE-2019-748


Security update for otrs


Type: security
Severity: moderate
Issued: 2019-03-23
Description:
This update for otrs to version 4.0.32 fixes the following issues:

These security issues were fixed:

- CVE-2018-16586: An attacker could have sent a malicious email to an OTRS
  system. If a logged in user opens it, the email could have caused the browser
  to load external image or CSS resources (bsc#1109822).
- CVE-2018-16587: An attacker could have sent a malicious email to an OTRS
  system. If a user with admin permissions opens it, it caused deletions of
  arbitrary files that the OTRS web server user has write access to
  (bsc#1109823).
- CVE-2018-14593: An attacker who is logged into OTRS as an agent may have
  escalated their privileges by accessing a specially crafted URL (bsc#1103800).

These non-security issues were fixed:

- fixed permissions file @OTRS_ROOT@/var/tmp -> @OTRS_ROOT@/var/tmp/
- ACL for Action AgentTicketBulk were inconsistent.


              

Packages


  • otrs-4.0.32-bp150.3.3.1