CVE-2018-14593 — otrs2 - security update

Description

An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.9, 5.0.x through 5.0.28, and 4.0.x through 4.0.30. An attacker who is logged into OTRS as an agent may escalate their privileges by accessing a specially crafted URL.

How to fix CVE-2018-14593

To remediate CVE-2018-14593, upgrade the affected package to a fixed version below.

Debian/otrs2—upgrade to 6.0.10-1 or later
—upgrade to 3.3.18-1+deb8u5 or later
—upgrade to 5.0.16-1+deb9u6 or later

Is CVE-2018-14593 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 6.0.10-1
from 0, < 3.3.18-1+deb8u5
from 0, < 5.0.16-1+deb9u6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-14593