| Summary: | <www-apps/otrs-3.2.9: Unspecified Script Insertion and SQL Injection Vulnerabilities (CVE-2013-4717) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | patrick, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/52623/ | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Fixed in 3.1.18, 3.2.9, need a version bump. 3.2.9 is in the tree, @maintainers: please cleanup vulnerable versions No stable versions for this package, so reassigning ~3. @Maintainers: Please clean up vulnerable versions (and ACK doing so on this bug report). Setting upstream+; Maintainer timeout in 30 days. Cleanup done. |
From ${URL} : Description Some vulnerabilities have been reported in OTRS and OTRS ITSM, which can be exploited by malicious users to conduct script insertion and SQL injection attacks. 1) Certain unspecified input is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Certain input related to the ITSM ConfigItem search is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. Please see the vendor's advisory for affected products and versions. Solution: Update to a fixed version. Further details available to Secunia VIM customers Provided and/or discovered by: Reported by the vendor. Original Advisory: http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/ @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.