[Secure-testing-team] Bug#884801: otrs2: OSA-2017-10: Session hijacking
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 19 20:20:57 UTC 2017
Source: otrs2
Version: 3.3.9-3
Severity: grave
Tags: patch security upstream
Hi
From https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
> An attacker can send a specially prepared email to an OTRS system. If
> this system has cookie support disabled, and a logged in agent clicks a
> link in this email, the session information could be leaked to external
> systems, allowing the attacker to take over the agent’s session.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list