Hi,
On Sun, Feb 23, 2014 at 08:42:01PM +0000, Salvatore Bonaccorso wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2867-1 security@debian.org
> http://www.debian.org/security/ Salvatore Bonaccorso
> February 23, 2014 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : otrs2
> Vulnerability : several
> CVE ID : CVE-2014-1471 CVE-2014-1694
>
> Several vulnerabilities were discovered in otrs2, the Open Ticket
> Request System. The Common Vulnerabilities and Exposures project
> identifies the following problems:
>
> CVE-2014-1471
>
> Norihiro Tanaka reported missing challenge token checks. An attacker
> that managed to take over the session of a logged in customer could
> create tickets and/or send follow-ups to existing tickets due to
> these missing checks.
>
> CVE-2014-1694
>
> Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
> valid customer or agent login could inject SQL code through the
> ticket search URL.
This should be:
CVE-2014-1694
Norihiro Tanaka reported missing challenge token checks. An attacker
that managed to take over the session of a logged in customer could
create tickets and/or send follow-ups to existing tickets due to
these missing checks.
CVE-2014-1471
Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
valid customer or agent login could inject SQL code through the
ticket search URL.
apologies for not having spotted that earlier. I have commited the
changes for the websites so that they will be correct on next update.
Regards,
Salvatore
Attachment:
signature.asc
Description: Digital signature