From ${URL} : Description Two vulnerabilities have been reported in OTRS Help Desk, which can be exploited by malicious people to conduct cross-site scripting and clickjacking attacks. 1) Certain input related to dynamic fields is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The application allows users to perform certain actions via HTTP requests via iframes without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions by tricking a user into e.g. clicking a specially crafted link via clickjacking. The vulnerabilities are reported in versions prior to 3.1.21, 3.2.16, and 3.3.6. Solution: Update to version 3.1.21, 3.2.16, or 3.3.6. Provided and/or discovered by: The vendor credits: 1) Renée Bäcker 2) Adam Ziaja Original Advisory: OTRS (OSA-2014-04, OSA-2014-05): https://www.otrs.com/security-advisory-2014-04-xss-issue/ https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/ @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2014-2553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2553): Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.
CVE-2014-2554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2554): OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element.
This bug has been around for a while. Just a ping to see if we can resolve it.
Maintainers, 3.2.12 is in tree, this is fixed in 3.2.16. Can we get an ebuild for this.
No vulnerable versions in tree.
