Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506476 (CVE-2014-2553) - <www-apps/otrs-4.0.12: Help Desk Cross-Site Scripting and Clickjacking Vulnerabilities (CVE-2014-{2553,2554})
Summary: <www-apps/otrs-4.0.12: Help Desk Cross-Site Scripting and Clickjacking Vulner...
Status: RESOLVED FIXED
Alias: CVE-2014-2553
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57616/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-01 16:09 UTC by Agostino Sarubbo
Modified: 2016-03-29 07:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-01 16:09:44 UTC
From ${URL} :

Description

Two vulnerabilities have been reported in OTRS Help Desk, which can be exploited by malicious people to 
conduct cross-site scripting and clickjacking attacks.

1) Certain input related to dynamic fields is not properly sanitised before being returned to the user. 
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of 
an affected site.

2) The application allows users to perform certain actions via HTTP requests via iframes without 
performing any validity checks to verify the requests. This can be exploited to perform certain 
unspecified actions by tricking a user into e.g. clicking a specially crafted link via clickjacking.

The vulnerabilities are reported in versions prior to 3.1.21, 3.2.16, and 3.3.6.


Solution:
Update to version 3.1.21, 3.2.16, or 3.3.6.

Provided and/or discovered by:
The vendor credits:
1) Renée Bäcker
2) Adam Ziaja

Original Advisory:
OTRS (OSA-2014-04, OSA-2014-05):
https://www.otrs.com/security-advisory-2014-04-xss-issue/
https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Agostino Sarubbo gentoo-dev 2014-04-04 10:12:50 UTC
CVE-2014-2553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2553):

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:43:36 UTC
CVE-2014-2553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2553):
  Cross-site scripting (XSS) vulnerability in Open Ticket Request System
  (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6
  allows remote authenticated users to inject arbitrary web script or HTML via
  vectors related to dynamic fields.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 23:54:20 UTC
CVE-2014-2554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2554):
  OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows
  remote attackers to conduct clickjacking attacks via an IFRAME element.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-01-15 21:26:52 UTC
This bug has been around for a while. Just a ping to see if we can resolve it.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-02-21 19:18:19 UTC
Maintainers, 3.2.12 is in tree, this is fixed in 3.2.16. Can we get an ebuild for this.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 07:52:53 UTC
No vulnerable versions in tree.