http://bugzilla.opensuse.org/show_bug.cgi?id=1141432 Bug ID: 1141432 Summary: VUL-1: CVE-2019-13458: Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/237105/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Other Assignee: chris@computersalat.de Reporter: abergmann@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2019-13458 Security Advisory 2019-12: Security Update for OTRS Framework Security Advisory Details: ID: OSA-2019-12 Date: 2019-07-12 Title: Information Disclosure Severity: 2.4. Low Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x Fixed in: OTRS 7.0.9, OTRS 6.0.20, OTRS 5.0.37 FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C References: CVE-2019-13458 Vulnerability Description: This advisory covers vulnerabilities discovered in the OTRS framework. Privilege Escalation: An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS tags in templates in order to disclose hashed user passwords. Affected by this vulnerability are all releases of OTRS 7.0.x up to and including 7.0.8, OTRS 6.0.x up to and including 6.0.19, OTRS 5.0.x up to and including 5.0.36. This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level. Fixed releases can be found at: https://www.otrs.com/category/release-and-security-notes-en/ Detailed information about the changes: OTRS 6.0 https://github.com/OTRS/otrs/commit/69430f260d52e5a7afc185048da0cfc2eef2659a OTRS 5.0 https://github.com/OTRS/otrs/commit/0e26066dfff8efff0039da13e29609ca7f00d9a2 However, to avoid unwanted side effects, we recommend a complete update. Thanks to Marvin Voormann for discovering and reporting this issue. References: https://community.otrs.com/security-advisory-2019-12-security-update-for-otr... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13458 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13458.html -- You are receiving this mail because: You are on the CC list for the bug.