Debian Package Tracker
Register | Log in
Subscribe

znuny

flexible web-based ticketing system

Choose email to subscribe with

general
  • source: znuny (non-free)
  • version: 6.5.15-2
  • maintainer: Patrick Matthäi (DMD)
  • uploaders: Thomas Mueller [DMD]
  • arch: all
  • std-ver: 4.7.2
  • VCS: unknown
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • old-bpo: 6.4.5-1~bpo11+1
  • stable: 6.5.1-1
  • stable-bpo: 6.5.15-2~bpo12+1
  • testing: 6.5.15-2
  • unstable: 6.5.15-2
versioned links
  • 6.4.5-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 6.5.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 6.5.15-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 6.5.15-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • otrs2
  • znuny (1 bugs: 0, 1, 0, 0)
action needed
1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:
  • CVE-2025-3573: Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.
Created: 2025-04-26 Last update: 2025-05-13 06:30
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2025-3573: Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.
Created: 2025-04-26 Last update: 2025-05-13 06:30
13 low-priority security issues in bookworm low

There are 13 open security issues in bookworm.

13 issues left for the package maintainer to handle:
  • CVE-2025-3573: (needs triaging) Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.
  • CVE-2023-38060: (needs triaging) Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment.  This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
  • CVE-2024-32491: (needs triaging) An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.
  • CVE-2024-32493: (needs triaging) An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request.
  • CVE-2024-48937: (needs triaging) Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.
  • CVE-2024-48938: (needs triaging) Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.
  • CVE-2025-26842: (needs triaging) An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.
  • CVE-2025-26844: (needs triaging) An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
  • CVE-2025-26845: (needs triaging) An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.
  • CVE-2025-26846: (needs triaging) An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
  • CVE-2025-26847: (needs triaging) An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.
  • CVE-2025-43926: (needs triaging) An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user preferences with arbitrary keys. When fetching user data via GetUserData, these keys and values are retrieved and given as a whole to other function calls, which then might use these keys/values to affect permissions or other settings.
  • TEMP-0000000-4578D8: (needs triaging)

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-08-01 Last update: 2025-05-13 06:30
debian/patches: 9 patches to forward upstream low

Among the 9 debian patches available in version 6.5.15-2 of the package, we noticed the following issues:

  • 9 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2025-05-07 18:32
news
[rss feed]
  • [2025-05-12] Accepted znuny 6.5.15-2~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2025-05-12] znuny 6.5.15-2 MIGRATED to testing (Debian testing watch)
  • [2025-05-07] Accepted znuny 6.5.15-2 (source) into unstable (Patrick Matthäi)
  • [2025-05-05] Accepted znuny 6.5.15-1 (source) into experimental (Patrick Matthäi)
  • [2025-03-06] Accepted znuny 6.5.14-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2025-02-27] znuny 6.5.14-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-21] Accepted znuny 6.5.14-1 (source) into unstable (Patrick Matthäi)
  • [2025-02-20] znuny 6.5.13-1 MIGRATED to testing (Debian testing watch)
  • [2025-02-14] Accepted znuny 6.5.13-1 (source) into unstable (Patrick Matthäi)
  • [2024-10-08] Accepted znuny 6.5.11-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2024-10-07] znuny 6.5.11-1 MIGRATED to testing (Debian testing watch)
  • [2024-10-02] Accepted znuny 6.5.11-1 (source) into unstable (Patrick Matthäi)
  • [2024-07-30] Accepted znuny 6.5.10-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2024-07-30] znuny 6.5.10-1 MIGRATED to testing (Debian testing watch)
  • [2024-07-24] Accepted znuny 6.5.10-1 (source) into unstable (Patrick Matthäi)
  • [2024-07-15] Accepted znuny 6.5.9-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2024-07-14] znuny 6.5.9-1 MIGRATED to testing (Debian testing watch)
  • [2024-07-08] Accepted znuny 6.5.9-1 (source) into unstable (Patrick Matthäi)
  • [2024-04-22] Accepted znuny 6.5.8-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2024-04-22] znuny 6.5.8-1 MIGRATED to testing (Debian testing watch)
  • [2024-04-19] Accepted znuny 6.5.8-1 (source) into unstable (Patrick Matthäi)
  • [2024-02-19] Accepted znuny 6.5.6-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2024-02-10] znuny 6.5.6-1 MIGRATED to testing (Debian testing watch)
  • [2024-02-05] Accepted znuny 6.5.6-1 (source) into unstable (Patrick Matthäi)
  • [2023-12-20] Accepted znuny 6.5.5-1~bpo12+1 (source) into stable-backports (Patrick Matthäi)
  • [2023-12-19] znuny 6.5.5-1 MIGRATED to testing (Debian testing watch)
  • [2023-12-13] Accepted znuny 6.5.5-1 (source) into unstable (Patrick Matthäi)
  • [2023-08-30] Accepted znuny 6.5.3-1~bpo12+1 (source all) into stable-backports (Debian FTP Masters) (signed by: Patrick Matthäi)
  • [2023-08-30] Accepted znuny 6.5.4-1~bpo12+1 (source all) into stable-backports (Debian FTP Masters) (signed by: Patrick Matthäi)
  • [2023-08-29] znuny 6.5.4-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 3 4
  • RC: 0
  • I&N: 3 4
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • buildd: logs
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 43)
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 6.5.15-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing