SuSE Local Security Checks : openSUSE: Security Advisory for Recommended (openSUSE-SU-2020:1475-1)

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.853442

Categoría: SuSE Local Security Checks

Título: openSUSE: Security Advisory for Recommended (openSUSE-SU-2020:1475-1)

Resumen: The remote host is missing an update for the 'Recommended'; package(s) announced via the openSUSE-SU-2020:1475-1 advisory.

Descripción: Summary:
The remote host is missing an update for the 'Recommended'
package(s) announced via the openSUSE-SU-2020:1475-1 advisory.

Vulnerability Insight:
Otrs was updated to 5.0.42, fixing lots of bugs and security issues:

- CVE-2020-1773 boo#1168029 OSA-2020-10:

* Session / Password / Password token leak An attacker with the ability
to generate session IDs or password reset tokens, either by being able
to authenticate or by exploiting OSA-2020-09, may be able to predict
other users session IDs, password reset tokens and automatically
generated passwords.

- CVE-2020-1772 boo#1168029 OSA-2020-09:

* Information Disclosure It's possible to craft Lost Password requests
with wildcards in the Token value, which allows attacker to retrieve
valid Token(s), generated by users which already requested new
passwords.

- CVE-2020-1771 boo#1168030 OSA-2020-08:

* Possible XSS in Customer user address book Attacker is able craft an
article with a link to the customer address book with malicious
content (JavaScript). When agent opens the link, JavaScript code is
executed due to the missing parameter encoding.

- CVE-2020-1770 boo#1168031 OSA-2020-07:

* Information disclosure in support bundle files Support bundle
generated files could contain sensitive information that might be
unwanted to be disclosed.

- CVE-2020-1769 boo#1168032 OSA-2020-06:

* Autocomplete in the form login screens In the login screens (in agent
and customer interface), Username and Password fields use
autocomplete, which might be considered as security issue.

* bug#14912 - Installer refers to non-existing documentation

- added code to upgrade OTRS from 4 to 5

READ UPGRADING.SUSE

* steps 1 to 4 are done by rpm pkg

* steps 5 to *END* need to be done manually cause of DB backup

Update to 5.0.40

- CVE-2020-1766 boo#1160663 OSA-2020-02: Improper handling of uploaded
inline images Due to improper handling of uploaded images it is possible
in very unlikely and rare conditions to force the agents browser to
execute malicious javascript from a special crafted SVG file rendered as
inline jpg file.

* CVE-2020-1765, OSA-2020-01: Spoofing of From field in several screens
An improper ...

Description truncated. Please see the references for more information.

Affected Software/OS:
'Recommended' package(s) on openSUSE Leap 15.2, openSUSE Leap 15.1.

Solution:
Please install the updated package(s).

CVSS Score:
6.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2019-9752
https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework
https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html
SuSE Security Announcement: openSUSE-SU-2020:0551 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
SuSE Security Announcement: openSUSE-SU-2020:1475 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
SuSE Security Announcement: openSUSE-SU-2020:1509 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-9892
https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-1765
https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-1766
Common Vulnerability Exposure (CVE) ID: CVE-2020-1769
https://otrs.com/release-notes/otrs-security-advisory-2020-06/
Common Vulnerability Exposure (CVE) ID: CVE-2020-1770
https://otrs.com/release-notes/otrs-security-advisory-2020-07/
https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-1771
https://otrs.com/release-notes/otrs-security-advisory-2020-08/
Common Vulnerability Exposure (CVE) ID: CVE-2020-1772
https://otrs.com/release-notes/otrs-security-advisory-2020-09/
Common Vulnerability Exposure (CVE) ID: CVE-2020-1773
https://otrs.com/release-notes/otrs-security-advisory-2020-10/

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.853442
Categoría:	SuSE Local Security Checks
Título:	openSUSE: Security Advisory for Recommended (openSUSE-SU-2020:1475-1)
Resumen:	The remote host is missing an update for the 'Recommended'; package(s) announced via the openSUSE-SU-2020:1475-1 advisory.
Descripción:	Summary: The remote host is missing an update for the 'Recommended' package(s) announced via the openSUSE-SU-2020:1475-1 advisory. Vulnerability Insight: Otrs was updated to 5.0.42, fixing lots of bugs and security issues: - CVE-2020-1773 boo#1168029 OSA-2020-10: * Session / Password / Password token leak An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. - CVE-2020-1772 boo#1168029 OSA-2020-09: * Information Disclosure It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. - CVE-2020-1771 boo#1168030 OSA-2020-08: * Possible XSS in Customer user address book Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. - CVE-2020-1770 boo#1168031 OSA-2020-07: * Information disclosure in support bundle files Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. - CVE-2020-1769 boo#1168032 OSA-2020-06: * Autocomplete in the form login screens In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. * bug#14912 - Installer refers to non-existing documentation - added code to upgrade OTRS from 4 to 5 READ UPGRADING.SUSE * steps 1 to 4 are done by rpm pkg * steps 5 to END need to be done manually cause of DB backup Update to 5.0.40 - CVE-2020-1766 boo#1160663 OSA-2020-02: Improper handling of uploaded inline images Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. * CVE-2020-1765, OSA-2020-01: Spoofing of From field in several screens An improper ... Description truncated. Please see the references for more information. Affected Software/OS: 'Recommended' package(s) on openSUSE Leap 15.2, openSUSE Leap 15.1. Solution: Please install the updated package(s). CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2019-9752 https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html SuSE Security Announcement: openSUSE-SU-2020:0551 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html SuSE Security Announcement: openSUSE-SU-2020:1475 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html SuSE Security Announcement: openSUSE-SU-2020:1509 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html Common Vulnerability Exposure (CVE) ID: CVE-2019-9892 https://lists.debian.org/debian-lts-announce/2019/05/msg00003.html Common Vulnerability Exposure (CVE) ID: CVE-2020-1765 https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html Common Vulnerability Exposure (CVE) ID: CVE-2020-1766 Common Vulnerability Exposure (CVE) ID: CVE-2020-1769 https://otrs.com/release-notes/otrs-security-advisory-2020-06/ Common Vulnerability Exposure (CVE) ID: CVE-2020-1770 https://otrs.com/release-notes/otrs-security-advisory-2020-07/ https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html Common Vulnerability Exposure (CVE) ID: CVE-2020-1771 https://otrs.com/release-notes/otrs-security-advisory-2020-08/ Common Vulnerability Exposure (CVE) ID: CVE-2020-1772 https://otrs.com/release-notes/otrs-security-advisory-2020-09/ Common Vulnerability Exposure (CVE) ID: CVE-2020-1773 https://otrs.com/release-notes/otrs-security-advisory-2020-10/
Copyright	Copyright (C) 2020 Greenbone Networks GmbH