CVE-2019-9892

XML Injection (aka Blind XPath Injection) (CWE-91)

Published: May 22, 2019 / Updated: 50mo ago

010
CVSS 6.5EPSS 0.27%Medium
CVE info copied to clipboard

An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2019-9892. See article

May 3, 2019 at 11:28 PM / vulners.com
EPSS

EPSS Score was set to: 0.27% (Percentile: 63.9%)

Oct 13, 2023 at 5:10 PM
Static CVE Timeline Graph

Affected Systems

Otrs/otrs
+null more

Patches

community.otrs.com
+null more

Attack Patterns

CAPEC-250: XML Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI