CVE-2017-9324

Name of the Vulnerable Software and Affected Versions Open Ticket Request System (OTRS) versions 3.3.x through 3.3.16 Open Ticket Request System (OTRS) versions 4.x through 4.0.23 Open Ticket Request System (OTRS) versions 5.x through 5.0.19

Description An issue allows an attacker with agent permission to gain administrative privileges by opening a specific URL in a browser. This enables the attacker to read and change all system settings. The vulnerable URLs contain "index.pl?Action=Installer" with ";Subaction=Intro", ";Subaction=Start", or ";Subaction=System" appended.

Recommendations For versions 3.3.x through 3.3.16, avoid using the "index.pl?Action=Installer" URL with ";Subaction=Intro", ";Subaction=Start", or ";Subaction=System" until a patch is available. For versions 4.x through 4.0.23, restrict access to the "index.pl?Action=Installer" URL with ";Subaction=Intro", ";Subaction=Start", or ";Subaction=System" to minimize the risk of exploitation. For versions 5.x through 5.0.19, consider disabling the Action=Installer functionality until a fix is provided.