openSUSE Security Update : otrs (openSUSE-2018-1106)
Medium Nessus Plugin ID 117931
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThis update for otrs to version 4.0.32 fixes the following issues :
These security issues were fixed :
- CVE-2018-16586: An attacker could have sent a malicious email to an OTRS system. If a logged in user opens it, the email could have caused the browser to load external image or CSS resources (bsc#1109822).
- CVE-2018-16587: An attacker could have sent a malicious email to an OTRS system. If a user with admin permissions opens it, it caused deletions of arbitrary files that the OTRS web server user has write access to (bsc#1109823).
- CVE-2018-14593: An attacker who is logged into OTRS as an agent may have escalated their privileges by accessing a specially crafted URL (bsc#1103800).
These non-security issues were fixed :
- fixed permissions file @[email protected]/var/tmp -> @[email protected]/var/tmp/
- ACL for Action AgentTicketBulk were inconsistent.
SolutionUpdate the affected otrs packages.