Spoofing of From field in several screens

The primary impact of CVE-2020-1765 is the ability for an attacker to forge the 'from' address in outgoing emails originating from an OTRS instance. This can be leveraged for various malicious purposes, including phishing campaigns targeting users within the organization or external parties. Attackers could impersonate legitimate users or systems, potentially gaining access to sensitive information or executing malicious commands. While the CVSS score is LOW, the potential for social engineering and reputational damage should not be underestimated. The blast radius extends to anyone who receives emails originating from the compromised OTRS system.

Organizations utilizing OTRS for customer support or ticketing systems are at risk. Specifically, deployments using older versions of OTRS (5.0.x, 6.0.x, or 7.0.x prior to 7.0.14) are vulnerable. Shared hosting environments where multiple organizations share an OTRS instance could also be impacted, as a compromise of one tenant could potentially affect others.

• linux / server:

journalctl -u otrs | grep -i 'from address'

• generic web:

curl -I http://otrs_server/AgentTicketCompose | grep From

1. 2020-01-10Disclosure

   disclosure

1. आरक्षित2019-11-29
2. प्रकाशित2020-01-10
3. संशोधित2024-09-16
4. EPSS अद्यतन2026-04-02

The recommended mitigation for CVE-2020-1765 is to upgrade OTRS to version 7.0.14 or later. If upgrading is not immediately feasible, consider implementing stricter email authentication policies, such as SPF, DKIM, and DMARC, to help prevent email spoofing. Review OTRS configuration to ensure that email sending restrictions are in place. Monitor OTRS logs for suspicious outbound email activity. After upgrading, confirm the fix by sending test emails and verifying the 'from' address is correctly configured and cannot be easily manipulated.