{"id":"CVE-2017-16921","details":"In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.","modified":"2026-03-15T22:15:29.847371Z","published":"2017-12-08T15:29:00.323Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/162295/OTRS-6.0.1-Remote-Command-Execution.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-4066"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00015.html"},{"type":"FIX","url":"https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/43853/"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.7"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.8"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.12"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.13"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.14"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.15"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.16"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.17"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.18"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.19"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.20"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.21"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.22"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.23"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.24"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.25"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.26"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-alpha1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-beta3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-beta4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-beta5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.7"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.8"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.9"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.10"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.11"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.12"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.13"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.14"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.15"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.16"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.17"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.18"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.19"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.20"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.21"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.22"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.23"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.24"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-alpha1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-beta3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-beta4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-beta5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16921.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}