Changelog
otrs2 (6.0.18-1) unstable; urgency=high
* New upstream release.
- Fixes OSA-2019-06, also known as CVE-2019-10066: An attacker who is logged
into OTRS as an agent with appropriate permissions may create a carefully
crafted calendar appointment in order to cause execution of JavaScript in
the context of OTRS.
- Fixes OSA-2019-05, also known as CVE-2019-10067: An attacker who is logged
into OTRS as an agent user with appropriate permissions may manipulate the
URL to cause execution of JavaScript in the context of OTRS.
- Fixes OSA-2019-04, also known as CVE-2019-9892: An attacker who is logged
into OTRS as an agent user with appropriate permissions may try to import
carefully crafted Report Statistics XML that will result in reading of
arbitrary files of OTRS filesystem.
-- Patrick Matthäi <email address hidden> Fri, 26 Apr 2019 11:00:38 +0200