ZSA-2019-09

OTRS agent might unwillingly disclose session ID

Problem

An agent logged in to OTRS can unwillingly disclose his session ID by sharing the link of an embedded ticket article.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Workaround

As a workaround, you can replace the affected files (see below for download).

ATTENTION: Please check if any of these files have been changed in your OTRS installation by additional add-ons. In that case you MUST NOT simply overwrite the files with the ones provided below. Please contact us instead.

Download

Security patch for OTRS 6
Security patch for OTRS 5

References

Vendor advisory
CVE-2019-12746

ZSA	ZSA-2019-09
Date	07/12/19
Title	OTRS agent might unwillingly disclose session ID
Severity	Low
Product	OTRS Help Desk 6.0.x up to and including 6.0.19, OTRS Help Desk 5.0.x up to and including 5.0.36
Fixed in	OTRS Help Desk 6.0.20, OTRS Help Desk 5.0.37
URL	Directlink
CVE	CVE-2019-12746