Detections
Analytics

CVE-2014-1694

high

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.

References

https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface

https://www.otrs.com/release-notes-otrs-help-desk-3-3-4

http://www.openwall.com/lists/oss-security/2014/01/29/7

http://www.openwall.com/lists/oss-security/2014/01/29/15

http://www.debian.org/security/2014/dsa-2867

http://secunia.com/advisories/56655

http://secunia.com/advisories/56644

http://osvdb.org/102632

http://bugs.otrs.org/show_bug.cgi?id=10099

Details

Source: Mitre, NVD

Published: 2014-02-04

Updated: 2014-03-06

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High