Vuln 1: ======= Advisory: https://www.otrs.com/security-advisory-2017-02-security-update-otrs-versions/ Text: ----- Certain pages of the OTRS interface are affected by a cross-site scripting vulnerability. It fails to sanitize user input to sufficiently remove HTML tags such as JavaScript from user input. A remote attacker can craft a malicious link containing JavaScript or other arbitrary HTML that will be executed in another user’s browser in the context of their OTRS session. Affected by this vulnerability are all releases of OTRS 5.0.x up to and including 5.0.19, OTRS 4.0.x up to and including 4.0.23 and OTRS 3.3.x up to and including 3.3.16. Vuln 2: ======= CVE: CVE-2017-9324: Advisory: https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/ Text: ----- An attacker with agent permission is capable by opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. Affected by this vulnerability are all releases of OTRS 5.0.x up to and including 5.0.19, OTRS 4.0.x up to and including 4.0.23 and OTRS 3.3.x up to and including 3.3.16.
PR: https://github.com/gentoo/gentoo/pull/4869
Fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b78f42e46efa59a85dbd6e5f07679c7a38e99005 Repository is clean, all done.
