CVE-2019-9892

Name of the Vulnerable Software and Affected Versions Open Ticket Request System (OTRS) versions 5.x through 5.0.34 Open Ticket Request System (OTRS) versions 6.x through 6.0.17 Open Ticket Request System (OTRS) versions 7.x through 7.0.6

Description An issue was discovered in Open Ticket Request System (OTRS) where an attacker logged in as an agent user with appropriate permissions may import carefully crafted Report Statistics XML to read arbitrary files on the OTRS filesystem.

Recommendations For versions 5.x through 5.0.34, update to a version later than 5.0.34 to resolve the issue. For versions 6.x through 6.0.17, update to a version later than 6.0.17 to resolve the issue. For versions 7.x through 7.0.6, update to a version later than 7.0.6 to resolve the issue. As a temporary workaround, consider restricting the import of Report Statistics XML for agent users until a patch is available.