CVE-2014-1694

Sažetak

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.

Reference

http://bugs.otrs.org/show_bug.cgi?id=10099
http://osvdb.org/102632
http://secunia.com/advisories/56644
http://secunia.com/advisories/56655
http://www.debian.org/security/2014/dsa-2867
http://www.openwall.com/lists/oss-security/2014/01/29/15
http://www.openwall.com/lists/oss-security/2014/01/29/7
https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7
https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312
https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77
https://www.otrs.com/release-notes-otrs-help-desk-3-3-4
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

06-03-2014 - 04:50

Objavljeno

04-02-2014 - 21:55