Bugzilla – Bug 862367
VUL-0: CVE-2014-1471: otrs: SQL injection vulnerability in the StateGetStatesByType function
Last modified: 2014-03-26 11:20:12 UTC
CVE-2014-1471 An attacker with a valid customer or agent login could inject SQL in the ticket search URL. Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3. References: http://osvdb.org/102661 http://secunia.com/advisories/56644 http://secunia.com/advisories/56655 http://www.openwall.com/lists/oss-security/2014/01/29/15 https://github.com/OTRS/otrs/commit/0680603a07b8dc37c2ddca6ff14e0236babefc82 https://github.com/OTRS/otrs/commit/2997b36a7c84e933c4b025930cabe93efc4d261d https://github.com/OTRS/otrs/commit/c4ec9205bde9c49770ddad94c1a980c006164949 https://www.otrs.com/release-notes-otrs-help-desk-3-3-4 https://www.otrs.com/security-advisory-2014-02-sql-injection-issue http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1471 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1471
bugbot adjusting priority
12.3 not affected by this BUG: ./12.3/noarch/otrs-3.1.20-26.9.1.noarch.rpm > 3.1.18 13.1 not affected by this BUG ./13.1/src/otrs-3.2.15-31.5.1.src.rpm > 3.2.13