Bug 910988 (CVE-2014-9324) - VUL-0: CVE-2014-9324: otrs:The GenericInterface in OTRS Help Desk access-control problems
Summary: VUL-0: CVE-2014-9324: otrs:The GenericInterface in OTRS Help Desk access-cont...
Status: RESOLVED FIXED
Alias: CVE-2014-9324
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/111749/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-22 09:02 UTC by Victor Pereira
Modified: 2015-01-23 10:07 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-12-22 09:02:54 UTC 
CVE-2014-9324

The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11,
and 4.0.x before 4.0.3 allows remote authenticated users to access and modify
arbitrary tickets via unspecified vectors.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9324
https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/
http://secunia.com/advisories/59875
Comment 1 Swamp Workflow Management 2014-12-22 23:00:14 UTC 
bugbot adjusting priority
Comment 2 Christian Wittmer 2014-12-29 09:54:27 UTC 
ongoing work
Comment 3 Christian Wittmer 2014-12-29 14:48:38 UTC 
Maintenance Request:
https://build.opensuse.org/request/show/266789
Comment 4 Marcus Meissner 2015-01-23 09:19:48 UTC 
released
Comment 5 Swamp Workflow Management 2015-01-23 10:07:44 UTC 
openSUSE-SU-2015:0117-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 910988
CVE References: CVE-2014-9324
Sources used:
openSUSE 13.2 (src):    otrs-3.3.11-4.1
openSUSE 13.1 (src):    otrs-3.2.17-31.13.1