In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/ | vendor advisory patch issue tracking |
| https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html | third party advisory mailing list |
| https://www.exploit-db.com/exploits/43853/ | exploit vdb entry third party advisory |
| https://www.debian.org/security/2017/dsa-4066 | vendor advisory mailing list third party advisory |
| http://packetstormsecurity.com/files/162295/OTRS-6.0.1-Remote-Command-Execution.html |