Mandriva Linux Security Advisory : otrs (MDVSA-2013:112)

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing a security update.

Description :

Updated otrs package fixes security vulnerabilities :

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket
Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before
3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5,
3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to
inject arbitrary web script or HTML via an e-mail message body with
(1) a Cascading Style Sheets (CSS) expression property in the STYLE
attribute of an arbitrary element or (2) UTF-7 text in an
HTTP-EQUIV=CONTENT-TYPE META element (CVE-2012-2582).

Cross-site scripting (XSS) vulnerability in Open Ticket Request System
(OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x
before 3.1.10, when Firefox or Opera is used, allows remote attackers
to inject arbitrary web script or HTML via an e-mail message body with
nested HTML tags (CVE-2012-4600).

Cross-site scripting (XSS) vulnerability in Open Ticket Request System
(OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x
before 3.1.11 allows remote attackers to inject arbitrary web script
or HTML via an e-mail message body with whitespace before a
javascript: URL in the SRC attribute of an element, as demonstrated by
an IFRAME element (CVE-2012-4751).

Solution :

Update the affected otrs package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 66124 ()

Bugtraq ID: 56093

CVE ID: CVE-2012-2582
CVE-2012-4600
CVE-2012-4751

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now