Bug 861804 (CVE-2014-1694) - VUL-0: CVE-2014-1694: otrs: CSRF issue in customer web interface
Summary: VUL-0: CVE-2014-1694: otrs: CSRF issue in customer web interface
Status: RESOLVED FIXED
Alias: CVE-2014-1694
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-03 10:44 UTC by Victor Pereira
Modified: 2014-03-26 11:18 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-03 10:44:25 UTC 
OSS:11948


An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.18, 3.2.x up to and including 3.2.13 and 3.3.x up to and including 3.3.3


References:
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77
http://bugs.otrs.org/show_bug.cgi?id=10099
https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312
https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7
http://comments.gmane.org/gmane.comp.security.oss.general/11948
Comment 1 Swamp Workflow Management 2014-02-03 23:00:47 UTC 
bugbot adjusting priority
Comment 2 Christian Wittmer 2014-03-26 11:18:21 UTC 
12.3 not affected by this BUG:
./12.3/noarch/otrs-3.1.20-26.9.1.noarch.rpm > 3.1.18

13.1 not affected by this BUG
./13.1/src/otrs-3.2.15-31.5.1.src.rpm > 3.2.13