SynopsisThe remote Debian host is missing a security-related update.
DescriptionThorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered a privilege escalation vulnerability in otrs2, the Open Ticket Request System. An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured.
SolutionUpgrade the otrs2 packages.
For the stable distribution (wheezy), this problem has been fixed in version 3.1.7+dfsg1-8+deb7u5.
For the upcoming stable distribution (jessie), this problem has been fixed in version 3.3.9-3.