CVE-2019-13458

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.

Published: Aug 21, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-13458
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
otrs / otrs	5.0.0	5.0.36.x
otrs / otrs	6.0.0	6.0.19.x
otrs / otrs	7.0.0	7.0.8.x
debian / debian_linux	8.0	8.0.x

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/
https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://www.otrs.com/category/release-and-security-notes-en/

Vulnerability Database

289,697

CVE-2019-13458