Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476434 (CVE-2013-4717) - <www-apps/otrs-3.2.9: Unspecified Script Insertion and SQL Injection Vulnerabilities (CVE-2013-4717)
Summary: <www-apps/otrs-3.2.9: Unspecified Script Insertion and SQL Injection Vulnerab...
Status: RESOLVED FIXED
Alias: CVE-2013-4717
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52623/
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-10 18:57 UTC by Agostino Sarubbo
Modified: 2015-08-14 01:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-10 18:57:21 UTC
From ${URL} :

Description

Some vulnerabilities have been reported in OTRS and OTRS ITSM, which can be exploited by malicious 
users to conduct script insertion and SQL injection attacks.

1) Certain unspecified input is not properly sanitised before being used in a SQL query. This can 
be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Certain input related to the ITSM ConfigItem search is not properly sanitised before being used. 
This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's 
browser session in context of an affected site if malicious data is viewed.

Please see the vendor's advisory for affected products and versions.


Solution:
Update to a fixed version.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-11 01:02:14 UTC
Fixed in 3.1.18, 3.2.9, need a version bump.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-17 21:59:38 UTC
3.2.9 is in the tree, 

@maintainers: please cleanup vulnerable versions
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-26 09:15:03 UTC
No stable versions for this package, so reassigning ~3. 

@Maintainers: Please clean up vulnerable versions (and ACK doing so on this bug report). Setting upstream+; Maintainer timeout in 30 days.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2015-08-14 01:11:09 UTC
Cleanup done.