PT-2014-4199 · Otrs+1 · Otrs+1

Published

2014-02-04

·

Updated

2016-06-02

·

CVE-2014-1471

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Open Ticket Request System (OTRS) versions 3.1.x through 3.1.18 Open Ticket Request System (OTRS) versions 3.2.x through 3.2.13 Open Ticket Request System (OTRS) versions 3.3.x through 3.3.3
Description A SQL injection issue exists in the StateGetStatesByType function in Kernel/System/State.pm. This allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.
Recommendations For OTRS versions 3.1.x through 3.1.18, update to version 3.1.19 or later. For OTRS versions 3.2.x through 3.2.13, update to version 3.2.14 or later. For OTRS versions 3.3.x through 3.3.3, update to version 3.3.4 or later.

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2014-1279
CVE-2014-1471
DSA-2867-1
MGASA-2014-0094

Affected Products

Alt Linux
Otrs