Web application abuses : OTRS 1.0.0 - 1.3.2, 2.0.0 - 2.0.3 Multiple Input Validation Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.803935

Categoría: Web application abuses

Título: OTRS 1.0.0 - 1.3.2, 2.0.0 - 2.0.3 Multiple Input Validation Vulnerabilities

Resumen: OTRS (Open Ticket Request System) is prone to multiple input; validation vulnerabilities.

Descripción: Summary:
OTRS (Open Ticket Request System) is prone to multiple input
validation vulnerabilities.

Vulnerability Insight:
Multiple errors exist in the application which fails to validate
below user-supplied input's properly:

- For XSS attack (1) QueueID parameter and (2) Action parameters (3) AttachmentDownloadType.

- For SQL attack (1) user parameter (2) TicketID and (3) ArticleID parameters

Vulnerability Impact:
Successful exploitation will allow remote attackers to steal the
victim's cookie-based authentication credentials or execute arbitrary SQL commands and bypass
authentication.

Affected Software/OS:
OTRS (Open Ticket Request System) version 1.0.0 through 1.3.2
and 2.0.0 through 2.0.3.

Solution:
Update to version 1.3.3, 2.0.4 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2005-3893
BugTraq ID: 15537
http://www.securityfocus.com/bid/15537/
Bugtraq: 20051122 OTRS 1.x/2.x Multiple Security Issues (Google Search)
http://marc.info/?l=bugtraq&m=113272360804853&w=2
Debian Security Information: DSA-973 (Google Search)
http://www.debian.org/security/2006/dsa-973
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html
http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
http://www.osvdb.org/21064
http://www.osvdb.org/21065
http://securitytracker.com/id?1015262
http://secunia.com/advisories/17685/
http://secunia.com/advisories/18101
http://secunia.com/advisories/18887
SuSE Security Announcement: SUSE-SR:2005:030 (Google Search)
http://www.novell.com/linux/security/advisories/2005_30_sr.html
http://www.vupen.com/english/advisories/2005/2535
XForce ISS Database: otrs-agentticketplain-sql-injection(23354)
https://exchange.xforce.ibmcloud.com/vulnerabilities/23354
XForce ISS Database: otrs-login-sql-injection(23352)
https://exchange.xforce.ibmcloud.com/vulnerabilities/23352
Common Vulnerability Exposure (CVE) ID: CVE-2005-3894
http://www.osvdb.org/21067
XForce ISS Database: otrs-index-xss(23359)
https://exchange.xforce.ibmcloud.com/vulnerabilities/23359
XForce ISS Database: otrs-queue-selection-xss(23356)
https://exchange.xforce.ibmcloud.com/vulnerabilities/23356
Common Vulnerability Exposure (CVE) ID: CVE-2005-3895
http://www.osvdb.org/21066
http://securityreason.com/securityalert/200
XForce ISS Database: otrs-email-attachment-xss(23355)
https://exchange.xforce.ibmcloud.com/vulnerabilities/23355

Copyright Copyright (C) 2013 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.803935
Categoría:	Web application abuses
Título:	OTRS 1.0.0 - 1.3.2, 2.0.0 - 2.0.3 Multiple Input Validation Vulnerabilities
Resumen:	OTRS (Open Ticket Request System) is prone to multiple input; validation vulnerabilities.
Descripción:	Summary: OTRS (Open Ticket Request System) is prone to multiple input validation vulnerabilities. Vulnerability Insight: Multiple errors exist in the application which fails to validate below user-supplied input's properly: - For XSS attack (1) QueueID parameter and (2) Action parameters (3) AttachmentDownloadType. - For SQL attack (1) user parameter (2) TicketID and (3) ArticleID parameters Vulnerability Impact: Successful exploitation will allow remote attackers to steal the victim's cookie-based authentication credentials or execute arbitrary SQL commands and bypass authentication. Affected Software/OS: OTRS (Open Ticket Request System) version 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3. Solution: Update to version 1.3.3, 2.0.4 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2005-3893 BugTraq ID: 15537 http://www.securityfocus.com/bid/15537/ Bugtraq: 20051122 OTRS 1.x/2.x Multiple Security Issues (Google Search) http://marc.info/?l=bugtraq&m=113272360804853&w=2 Debian Security Information: DSA-973 (Google Search) http://www.debian.org/security/2006/dsa-973 http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/039001.html http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt http://www.osvdb.org/21064 http://www.osvdb.org/21065 http://securitytracker.com/id?1015262 http://secunia.com/advisories/17685/ http://secunia.com/advisories/18101 http://secunia.com/advisories/18887 SuSE Security Announcement: SUSE-SR:2005:030 (Google Search) http://www.novell.com/linux/security/advisories/2005_30_sr.html http://www.vupen.com/english/advisories/2005/2535 XForce ISS Database: otrs-agentticketplain-sql-injection(23354) https://exchange.xforce.ibmcloud.com/vulnerabilities/23354 XForce ISS Database: otrs-login-sql-injection(23352) https://exchange.xforce.ibmcloud.com/vulnerabilities/23352 Common Vulnerability Exposure (CVE) ID: CVE-2005-3894 http://www.osvdb.org/21067 XForce ISS Database: otrs-index-xss(23359) https://exchange.xforce.ibmcloud.com/vulnerabilities/23359 XForce ISS Database: otrs-queue-selection-xss(23356) https://exchange.xforce.ibmcloud.com/vulnerabilities/23356 Common Vulnerability Exposure (CVE) ID: CVE-2005-3895 http://www.osvdb.org/21066 http://securityreason.com/securityalert/200 XForce ISS Database: otrs-email-attachment-xss(23355) https://exchange.xforce.ibmcloud.com/vulnerabilities/23355
Copyright	Copyright (C) 2013 Greenbone AG