CVE-2019-12746 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-12746 Interim 1 15 2025-02-17T02:03:55Z current 2021-05-30T14:28:50Z 2025-02-17T02:03:55Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-12746 An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HV3MGQ2UEPGYIRJRUZLM3IXFHMD2WSCZ/ E-Mail link for openSUSE-SU-2020:0551-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3LYOX4CJJPHH5WJGU4WJCXSIRJ5YPPB7/ E-Mail link for openSUSE-SU-2020:1475-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S5NKKTAPXGTZI4XHFQ7KLWHRJLJIOZSW/ E-Mail link for openSUSE-SU-2020:1509-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SUSE Package Hub 15 SP1 SUSE Package Hub 15 SP2 openSUSE Leap 15.1 openSUSE Leap 15.2 otrs-5.0.42-bp150.2.10.1 otrs-6.0.29-bp151.3.6.2 otrs-6.0.29-bp152.2.8.1 otrs-6.0.29-lp151.2.6.2 otrs-6.0.29-lp152.2.3.4 otrs-doc-5.0.42-bp150.2.10.1 otrs-doc-6.0.29-bp151.3.6.2 otrs-doc-6.0.29-bp152.2.8.1 otrs-doc-6.0.29-lp151.2.6.2 otrs-doc-6.0.29-lp152.2.3.4 otrs-itsm-5.0.42-bp150.2.10.1 otrs-itsm-6.0.29-bp151.3.6.2 otrs-itsm-6.0.29-bp152.2.8.1 otrs-itsm-6.0.29-lp151.2.6.2 otrs-itsm-6.0.29-lp152.2.3.4 otrs-5.0.42-bp150.2.10.1 as a component of SUSE Package Hub 15 otrs-doc-5.0.42-bp150.2.10.1 as a component of SUSE Package Hub 15 otrs-itsm-5.0.42-bp150.2.10.1 as a component of SUSE Package Hub 15 otrs-6.0.29-bp151.3.6.2 as a component of SUSE Package Hub 15 SP1 otrs-doc-6.0.29-bp151.3.6.2 as a component of SUSE Package Hub 15 SP1 otrs-itsm-6.0.29-bp151.3.6.2 as a component of SUSE Package Hub 15 SP1 otrs-6.0.29-bp152.2.8.1 as a component of SUSE Package Hub 15 SP2 otrs-doc-6.0.29-bp152.2.8.1 as a component of SUSE Package Hub 15 SP2 otrs-itsm-6.0.29-bp152.2.8.1 as a component of SUSE Package Hub 15 SP2 otrs-6.0.29-lp151.2.6.2 as a component of openSUSE Leap 15.1 otrs-doc-6.0.29-lp151.2.6.2 as a component of openSUSE Leap 15.1 otrs-itsm-6.0.29-lp151.2.6.2 as a component of openSUSE Leap 15.1 otrs-6.0.29-lp152.2.3.4 as a component of openSUSE Leap 15.2 otrs-doc-6.0.29-lp152.2.3.4 as a component of openSUSE Leap 15.2 otrs-itsm-6.0.29-lp152.2.3.4 as a component of openSUSE Leap 15.2 An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user. CVE-2019-12746 SUSE Package Hub 15:otrs-5.0.42-bp150.2.10.1 SUSE Package Hub 15:otrs-doc-5.0.42-bp150.2.10.1 SUSE Package Hub 15:otrs-itsm-5.0.42-bp150.2.10.1 SUSE Package Hub 15 SP1:otrs-6.0.29-bp151.3.6.2 SUSE Package Hub 15 SP1:otrs-doc-6.0.29-bp151.3.6.2 SUSE Package Hub 15 SP1:otrs-itsm-6.0.29-bp151.3.6.2 SUSE Package Hub 15 SP2:otrs-6.0.29-bp152.2.8.1 SUSE Package Hub 15 SP2:otrs-doc-6.0.29-bp152.2.8.1 SUSE Package Hub 15 SP2:otrs-itsm-6.0.29-bp152.2.8.1 openSUSE Leap 15.1:otrs-6.0.29-lp151.2.6.2 openSUSE Leap 15.1:otrs-doc-6.0.29-lp151.2.6.2 openSUSE Leap 15.1:otrs-itsm-6.0.29-lp151.2.6.2 openSUSE Leap 15.2:otrs-6.0.29-lp152.2.3.4 openSUSE Leap 15.2:otrs-doc-6.0.29-lp152.2.3.4 openSUSE Leap 15.2:otrs-itsm-6.0.29-lp152.2.3.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N