CVE-2013-4717

Name of the Vulnerable Software and Affected Versions Open Ticket Request System (OTRS) Help Desk versions 3.0.x through 3.0.21 Open Ticket Request System (OTRS) Help Desk versions 3.1.x through 3.1.17 Open Ticket Request System (OTRS) Help Desk versions 3.2.x through 3.2.8

Description The issue is related to multiple SQL injection vulnerabilities in the Open Ticket Request System (OTRS) Help Desk. These vulnerabilities allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. The exploitation of this vulnerability enables a remote attacker to access confidential data, compromise data integrity, and cause a denial of service.

Recommendations For Open Ticket Request System (OTRS) Help Desk versions 3.0.x through 3.0.21, update to version 3.0.22 or later. For Open Ticket Request System (OTRS) Help Desk versions 3.1.x through 3.1.17, update to version 3.1.18 or later. For Open Ticket Request System (OTRS) Help Desk versions 3.2.x through 3.2.8, update to version 3.2.9 or later. As a temporary workaround, consider restricting access to the vulnerable components, such as Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm, until a patch is available.