ZSA-2019-07

Disclosure of personal agent information in customer frontend.

Problem

Personal information of an agent (like name and email address) can be disclosed in external notes in customer frontend.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Workaround

As a workaround, you can replace the affected files (see below for download). After that, check the following new SysConfig options:
Ticket::Frontend::CustomerTicketZoom###DisplayNoteFrom
Ticket::Frontend::CustomerTicketZoom###DefaultAgentName

ATTENTION: Please check if any of these files have been changed in your OTRS installation by additional add-ons. In that case you MUST NOT simply overwrite the files with the ones provided below. Please contact us instead.

Download

Security patch for OTRS 6
Security patch for OTRS 5

References

Vendor advisory
CVE-2019-12497

ZSA	ZSA-2019-07
Date	05/31/19
Title	Disclosure of personal agent information in customer frontend.
Severity	Low
Product	OTRS Help Desk 6.0.x up to and including 6.0.18, OTRS Help Desk 5.0.x up to and including 5.0.35
Fixed in	OTRS Help Desk 6.0.19, OTRS Help Desk 5.0.36
URL	Directlink
CVE	CVE-2019-12497