Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request
System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In
the agent interface, an authenticated remote attackeer can execute shell
commands as the webserver user via URL manipulation.
@Maintainers please let us know when tree is clean from vulnerable versions.