{"api_version":"1","generated_at":"2026-04-22T23:30:35+00:00","cve":"CVE-2019-12746","urls":{"html":"https://cve.report/CVE-2019-12746","api":"https://cve.report/api/cve/CVE-2019-12746.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-12746","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-12746"},"summary":{"title":"CVE-2019-12746","description":"An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-08-21 14:15:00","updated_at":"2023-08-31 03:15:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html","name":"openSUSE-SU-2020:1475","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1475-1: moderate: Recommended updat","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html","name":"openSUSE-SU-2020:0551","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0551-1: moderate: Recommended updat","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html","name":"[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3551-1] otrs2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html","name":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html","refsource":"CONFIRM","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 1877-1] otrs2 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/","name":"https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Security Advisory 2019-10: Security Update for OTRS Framework - ((OTRS)) Community Edition","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.otrs.com/category/release-and-security-notes-en/","name":"https://www.otrs.com/category/release-and-security-notes-en/","refsource":"MISC","tags":["Release Notes"],"title":"Release and Security Notes Archive | community.otrs.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html","name":"openSUSE-SU-2020:1509","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1509-1: moderate: Recommended updat","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-12746","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12746","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"12746","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"12746","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"12746","vulnerable":"1","versionEndIncluding":"5.0.36","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"12746","vulnerable":"1","versionEndIncluding":"6.0.19","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-12746","qid":"6000085","title":"Debian Security Update for otrs2 (DLA 3551-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-12746","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.otrs.com/category/release-and-security-notes-en/","refsource":"MISC","name":"https://www.otrs.com/category/release-and-security-notes-en/"},{"refsource":"CONFIRM","name":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html","url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html"},{"refsource":"CONFIRM","name":"https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/","url":"https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0551","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1475","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1509","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}]}},"nvd":{"publishedDate":"2019-08-21 14:15:00","lastModifiedDate":"2023-08-31 03:15:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*","versionStartIncluding":"5.0.0","versionEndIncluding":"5.0.36","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.0.19","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"12746","Ordinal":"151085","Title":"CVE-2019-12746","CVE":"CVE-2019-12746","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"12746","Ordinal":"1","NoteData":"An issue was discovered in Open Ticket Request System (OTRS) Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then be potentially abused in order to impersonate the agent user.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"12746","Ordinal":"2","NoteData":"2019-08-21","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"12746","Ordinal":"3","NoteData":"2020-09-23","Type":"Other","Title":"Modified"}]}}}