This update for otrs to version 4.0.32 fixes the following issues:
These security issues were fixed:
- CVE-2018-16586: An attacker could have sent a malicious email to an OTRS
system. If a logged in user opens it, the email could have caused the browser
to load external image or CSS resources (bsc#1109822).
- CVE-2018-16587: An attacker could have sent a malicious email to an OTRS
system. If a user with admin permissions opens it, it caused deletions of
arbitrary files that the OTRS web server user has write access to
- CVE-2018-14593: An attacker who is logged into OTRS as an agent may have
escalated their privileges by accessing a specially crafted URL (bsc#1103800).
These non-security issues were fixed:
- fixed permissions file @OTRS_ROOT@/var/tmp -> @OTRS_ROOT@/var/tmp/
- ACL for Action AgentTicketBulk were inconsistent.