{"api_version":"1","generated_at":"2026-04-22T23:30:30+00:00","cve":"CVE-2019-13458","urls":{"html":"https://cve.report/CVE-2019-13458","api":"https://cve.report/api/cve/CVE-2019-13458.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-13458","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-13458"},"summary":{"title":"CVE-2019-13458","description":"An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-08-21 14:15:00","updated_at":"2023-08-31 03:15:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html","name":"openSUSE-SU-2020:1475","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1475-1: moderate: Recommended updat","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html","name":"openSUSE-SU-2020:0551","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0551-1: moderate: Recommended updat","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html","name":"[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3551-1] otrs2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html","name":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html","refsource":"CONFIRM","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 1877-1] otrs2 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/","name":"https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Security Advisory 2019-12: Security Update for OTRS Framework - ((OTRS)) Community Edition","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.otrs.com/category/release-and-security-notes-en/","name":"https://www.otrs.com/category/release-and-security-notes-en/","refsource":"MISC","tags":["Release Notes"],"title":"Release and Security Notes Archive | community.otrs.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html","name":"openSUSE-SU-2020:1509","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1509-1: moderate: Recommended updat","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-13458","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13458","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"13458","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"13458","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"13458","vulnerable":"1","versionEndIncluding":"5.0.36","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"13458","vulnerable":"1","versionEndIncluding":"6.0.19","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"13458","vulnerable":"1","versionEndIncluding":"7.0.8","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-13458","qid":"6000085","title":"Debian Security Update for otrs2 (DLA 3551-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-13458","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.otrs.com/category/release-and-security-notes-en/","refsource":"MISC","name":"https://www.otrs.com/category/release-and-security-notes-en/"},{"refsource":"CONFIRM","name":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html","url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00018.html"},{"refsource":"CONFIRM","name":"https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/","url":"https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0551","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1475","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1509","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:H/S:U/UI:N","version":"3.0"}}},"nvd":{"publishedDate":"2019-08-21 14:15:00","lastModifiedDate":"2023-08-31 03:15:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*","versionStartIncluding":"5.0.0","versionEndIncluding":"5.0.36","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.0.19","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.0.8","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"13458","Ordinal":"151817","Title":"CVE-2019-13458","CVE":"CVE-2019-13458","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"13458","Ordinal":"1","NoteData":"An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, and Community Edition 5.0.x through 5.0.36 and 6.0.x through 6.0.19. An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS notification tags in templates in order to disclose hashed user passwords.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"13458","Ordinal":"2","NoteData":"2019-08-21","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"13458","Ordinal":"3","NoteData":"2020-09-23","Type":"Other","Title":"Modified"}]}}}