In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
CVSS Details
- CVSS 3.0 Base Score: 8.8
- CVSS 3.0 Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Covered by Rapid7
| Product | Vendor Advisory | Solution File | Added | Published |
|---|---|---|---|---|
| Debian | debian-upgrade-otrs2 | Dec 20, 2017 | Dec 8, 2017 | |
| Freebsd | freebsd-upgrade-package-otrs | Dec 31, 2017 | Dec 30, 2017 | |
| Ubuntu | no-fix-ubuntu-package | Jun 26, 2025 | Dec 8, 2017 |
Prioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub