Otrs was updated to 5.0.42, fixing lots of bugs and security issues:
https://community.otrs.com/otrs-community-edition-5s-patch-level-42/
- CVE-2020-1773 boo#1168029 OSA-2020-10:
- Session / Password / Password token leak
An attacker with the ability to generate session IDs or password
reset tokens, either by being able to authenticate or by exploiting
OSA-2020-09, may be able to predict other users session IDs,
password reset tokens and automatically generated passwords.
- CVE-2020-1772 boo#1168029 OSA-2020-09:
- Information Disclosure
It’s possible to craft Lost Password requests with wildcards in
the Token value, which allows attacker to retrieve valid Token(s),
generated by users which already requested new passwords.
- CVE-2020-1771 boo#1168030 OSA-2020-08:
- Possible XSS in Customer user address book
Attacker is able craft an article with a link to the customer
address book with malicious content (JavaScript). When agent opens
the link, JavaScript code is executed due to the missing parameter
encoding.
- CVE-2020-1770 boo#1168031 OSA-2020-07:
- Information disclosure in support bundle files
Support bundle generated files could contain sensitive information
that might be unwanted to be disclosed.
- CVE-2020-1769 boo#1168032 OSA-2020-06:
- Autocomplete in the form login screens
In the login screens (in agent and customer interface), Username
and Password fields use autocomplete, which might be considered
as security issue.
Update to 5.0.41
https://community.otrs.com/otrs-community-edition-5s-patch-level-41/
- bug#14912 - Installer refers to non-existing documentation
Update to 5.0.40
https://community.otrs.com/otrs-community-edition-5s-patch-level-40/
- CVE-2020-1766 boo#1160663 OSA-2020-02:
Improper...