Hi, On Sun, Feb 23, 2014 at 08:42:01PM +0000, Salvatore Bonaccorso wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-2867-1 [email protected] > http://www.debian.org/security/ Salvatore Bonaccorso > February 23, 2014 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : otrs2 > Vulnerability : several > CVE ID : CVE-2014-1471 CVE-2014-1694 > > Several vulnerabilities were discovered in otrs2, the Open Ticket > Request System. The Common Vulnerabilities and Exposures project > identifies the following problems: > > CVE-2014-1471 > > Norihiro Tanaka reported missing challenge token checks. An attacker > that managed to take over the session of a logged in customer could > create tickets and/or send follow-ups to existing tickets due to > these missing checks. > > CVE-2014-1694 > > Karsten Nielsen from Vasgard GmbH discovered that an attacker with a > valid customer or agent login could inject SQL code through the > ticket search URL.
This should be:
CVE-2014-1694
Norihiro Tanaka reported missing challenge token checks. An attacker
that managed to take over the session of a logged in customer could
create tickets and/or send follow-ups to existing tickets due to
these missing checks.
CVE-2014-1471
Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
valid customer or agent login could inject SQL code through the
ticket search URL.
apologies for not having spotted that earlier. I have commited the
changes for the websites so that they will be correct on next update.
Regards,
Salvatore
signature.asc
Description: Digital signature
