Debian 7: DLA-1119-1 Moderate: OTRS2 Code Injection Issues
debian lts
September 30, 2017
An attacker who is logged into OTRS, a Ticket Request System, as an agent with write permissions for statistics can inject arbitrary code into the system
Topics Covered
Summary
****IMPORTANT UPGRADE NOTES****
==============================
This update requires manual intervention. We strongly recommend to
backup all files and databases before upgrading. If you use the MySQL
backend you should read Debian bug report #707075 and the included
README.Debian file which will provide further information.
If you discover that the maintenance mode is still activated after the
update, we recommend to remove /etc/otrs/maintenance.html and
/var/lib/otrs/httpd/htdocs/maintenance.html which will resolve the issue
.
In addition the following security vulnerabilities were also addressed:
CVE-2014-1695
Cross-site scripting (XSS) vulnerability in OTRS allows remote
attackers to inject arbitrary web script or HTML via a crafted HTML
email
CVE-2014-2553
Cross-site scripting (XSS) vulnerability in OTRS allows remote
authenticated users to inject arbitrary web script or HTML via
vectors related to dynamic fields
CVE-2014-2554
PREVIOUS
NEXT
Package: otrs2
Version: 3.3.18-1~deb7u1
CVE ID: CVE-2014-1695 CVE-2014-2553 CVE-2014-2554
Debian Bug: 876462
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!