NVD Vulnerability Detail

CVE-2018-16586

Summary	In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before 5.0.30, and 6.0.x before 6.0.11, an attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources.
Publication Date	Sept. 28, 2018, 9:29 a.m.
Registration Date	March 1, 2021, 7:04 p.m.
Last Update	Nov. 21, 2024, 12:52 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:otrs:open_ticket_request_system::::::::	6.0.0			6.0.11
cpe:2.3:a:otrs:open_ticket_request_system::::::::	5.0.0			5.0.30
cpe:2.3:a:otrs:open_ticket_request_system::::::::	4.0.0			4.0.32

Related information, measures and tools

No	URL	タグ
1	https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/	Patch Vendor Advisory
2	https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/	Patch Vendor Advisory
3	https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963	Patch
4	https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963	Patch
5	https://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7	Patch
6	https://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7	Patch
7	https://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302	Patch
8	https://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302	Patch
9	https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html	Mailing List Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html	Mailing List Third Party Advisory
11	https://www.debian.org/security/2018/dsa-4317	Third Party Advisory
12	https://www.debian.org/security/2018/dsa-4317	Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Open Ticket Request System における入力確認に関する脆弱性

Title	Open Ticket Request System における入力確認に関する脆弱性
Summary	Open Ticket Request System (OTRS) には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 21, 2018, midnight
Registration Date	Dec. 19, 2018, 9:59 a.m.
Last Update	Dec. 19, 2018, 9:59 a.m.

Affected System

Debian

Debian GNU/Linux

OTRS プロジェクト

OTRS 4.0.32 までの 4.0.x

OTRS 5.0.30 までの 5.0.x

OTRS 6.0.11 までの 6.0.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-16586	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16586
National Vulnerability Database (NVD)
2	CVE-2018-16586	https://nvd.nist.gov/vuln/detail/CVE-2018-16586

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 1521-1] otrs2 security update	https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html
Debian Security Advisory
2	DSA-4317	https://www.debian.org/security/2018/dsa-4317
GitHub
3	Improved AdminSupportDataCollector.(09e80c7)	https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963
4	Improved AdminSupportDataCollector.(a808859)	https://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7
5	Improved AdminSupportDataCollector.(baa92df)	https://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302
Security Advisory
6	OSA-2018-05	https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/

Change Log

No	Changed Details	Date of change
1	[2018年12月19日] 掲載	Dec. 19, 2018, 9:59 a.m.