[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2867-1] otrs2 security update



Hi,

On Sun, Feb 23, 2014 at 08:42:01PM +0000, Salvatore Bonaccorso wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2867-1                   security@debian.org
> http://www.debian.org/security/                      Salvatore Bonaccorso
> February 23, 2014                      http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> 
> Package        : otrs2
> Vulnerability  : several
> CVE ID         : CVE-2014-1471 CVE-2014-1694
> 
> Several vulnerabilities were discovered in otrs2, the Open Ticket
> Request System. The Common Vulnerabilities and Exposures project
> identifies the following problems:
> 
> CVE-2014-1471
> 
>     Norihiro Tanaka reported missing challenge token checks. An attacker
>     that managed to take over the session of a logged in customer could
>     create tickets and/or send follow-ups to existing tickets due to
>     these missing checks.
> 
> CVE-2014-1694
> 
>     Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
>     valid customer or agent login could inject SQL code through the
>     ticket search URL.

This should be:

CVE-2014-1694

    Norihiro Tanaka reported missing challenge token checks. An attacker
    that managed to take over the session of a logged in customer could
    create tickets and/or send follow-ups to existing tickets due to
    these missing checks.

CVE-2014-1471

    Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
    valid customer or agent login could inject SQL code through the
    ticket search URL.

apologies for not having spotted that earlier. I have commited the
changes for the websites so that they will be correct on next update.

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature


Reply to: