Source: otrs2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for otrs2. Couldn't find any Znuny references yet. CVE-2021-36092[0]: | It's possible to create an email which contains specially crafted link | and it can be used to perform XSS attack. This issue affects: OTRS AG | ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. | OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version | 8.0.14 and prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-15/ CVE-2021-36091[1]: | Agents are able to list appointments in the calendars without required | permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: | 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions | prior to 7.0.27. https://otrs.com/release-notes/otrs-security-advisory-2021-14/ CVE-2021-21443[2]: | Agents are able to list customer user emails without required | permissions in the bulk action screen. This issue affects: OTRS AG | ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. | OTRS AG OTRS: 7.0.x versions prior to 7.0.27. https://otrs.com/release-notes/otrs-security-advisory-2021-13/ CVE-2021-21440[3]: | Generated Support Bundles contains private S/MIME and PGP keys if | containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) | Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS | 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and | prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-13/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-36092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36092 [1] https://security-tracker.debian.org/tracker/CVE-2021-36091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36091 [2] https://security-tracker.debian.org/tracker/CVE-2021-21443 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21443 [3] https://security-tracker.debian.org/tracker/CVE-2021-21440 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21440 Please adjust the affected versions in the BTS as needed.