[Secure-testing-team] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 22 14:31:00 UTC 2017
Source: otrs2
Version: 3.3.9-3
Severity: grave
Tags: upstream security
Hi,
the following vulnerability was published for otrs2.
CVE-2017-14635[0]:
| In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before
| 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage
| statistics-write permissions to gain privileges via code injection.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14635
[1] https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/
Unfortunately the patches are not referenced, so must be researched in
the repository.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list