FreeBSD : otrs -- SQL injection (6b575419-14cf-11df-a628-001517351c22)

Medium Nessus Plugin ID 44407


The remote FreeBSD host is missing a security-related update.


OTRS Security Advisory reports :

Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements.

A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions).

To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session.


Update the affected package.

See Also

Plugin Details

Severity: Medium

ID: 44407

File Name: freebsd_pkg_6b57541914cf11dfa628001517351c22.nasl

Version: $Revision: 1.7 $

Type: local

Published: 2010/02/09

Modified: 2013/06/21

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:otrs, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2010/02/08

Vulnerability Publication Date: 2010/02/08

Reference Information

CVE: CVE-2010-0438

CWE: 89