
On Sun, Feb 23, 2014 at 08:42:01PM +0000, Salvatore Bonaccorso wrote:
> Hash: SHA512
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2867-1                   secur...@debian.org
> http://www.debian.org/security/                      Salvatore Bonaccorso
> February 23, 2014                      http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> Package        : otrs2
> Vulnerability  : several
> CVE ID         : CVE-2014-1471 CVE-2014-1694
> Several vulnerabilities were discovered in otrs2, the Open Ticket
> Request System. The Common Vulnerabilities and Exposures project
> identifies the following problems:
> CVE-2014-1471
>     Norihiro Tanaka reported missing challenge token checks. An attacker
>     that managed to take over the session of a logged in customer could
>     create tickets and/or send follow-ups to existing tickets due to
>     these missing checks.
> CVE-2014-1694
>     Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
>     valid customer or agent login could inject SQL code through the
>     ticket search URL.

This should be:


    Norihiro Tanaka reported missing challenge token checks. An attacker
    that managed to take over the session of a logged in customer could
    create tickets and/or send follow-ups to existing tickets due to
    these missing checks.


    Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
    valid customer or agent login could inject SQL code through the
    ticket search URL.

apologies for not having spotted that earlier. I have commited the
changes for the websites so that they will be correct on next update.


Attachment: signature.asc
Description: Digital signature

Reply via email to