6.8

CVE-2014-1694

Exploit
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OtrsOtrs Version3.2.0
OtrsOtrs Version3.2.0 Updatebeta1
OtrsOtrs Version3.2.0 Updatebeta2
OtrsOtrs Version3.2.0 Updatebeta3
OtrsOtrs Version3.2.0 Updatebeta4
OtrsOtrs Version3.2.0 Updatebeta5
OtrsOtrs Version3.2.0 Updaterc1
OtrsOtrs Version3.2.1
OtrsOtrs Version3.2.2
OtrsOtrs Version3.2.3
OtrsOtrs Version3.2.4
OtrsOtrs Version3.2.5
OtrsOtrs Version3.2.6
OtrsOtrs Version3.2.7
OtrsOtrs Version3.2.8
OtrsOtrs Version3.2.9
OtrsOtrs Version3.2.10
OtrsOtrs Version3.1.0
OtrsOtrs Version3.1.1
OtrsOtrs Version3.1.2
OtrsOtrs Version3.1.3
OtrsOtrs Version3.1.4
OtrsOtrs Version3.1.5
OtrsOtrs Version3.1.6
OtrsOtrs Version3.1.7
OtrsOtrs Version3.1.8
OtrsOtrs Version3.1.9
OtrsOtrs Version3.1.10
OtrsOtrs Version3.1.11
OtrsOtrs Version3.1.13
OtrsOtrs Version3.1.14
OtrsOtrs Version3.1.15
OtrsOtrs Version3.1.16
OtrsOtrs Version3.1.17
OtrsOtrs Version3.1.18
OtrsOtrs Version3.3.0
OtrsOtrs Version3.3.0 Updatebeta1
OtrsOtrs Version3.3.0 Updatebeta2
OtrsOtrs Version3.3.0 Updatebeta3
OtrsOtrs Version3.3.0 Updatebeta4
OtrsOtrs Version3.3.0 Updatebeta5
OtrsOtrs Version3.3.0 Updaterc1
OtrsOtrs Version3.3.1
OtrsOtrs Version3.3.2
OtrsOtrs Version3.3.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.48% 0.705
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://secunia.com/advisories/56644
Vendor Advisory
http://secunia.com/advisories/56655
Vendor Advisory
http://www.debian.org/security/2014/dsa-2867
http://www.openwall.com/lists/oss-security/2014/01/29/15
https://www.otrs.com/release-notes-otrs-help-desk-3-3-4
http://bugs.otrs.org/show_bug.cgi?id=10099
http://osvdb.org/102632
http://www.openwall.com/lists/oss-security/2014/01/29/7
https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7
Patch
Exploit
https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312
Patch
Exploit
https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77
Patch
Exploit
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface
Patch
Vendor Advisory