July 9, 2013 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Report a Vulnerability
Security Advisory Details
- Date: July 9, 2013
- Title: Sql Injection + Xss Issue
- Severity: Medium (Overall CVSS Score SQL Injection: 3.6, CVSS Score XSS: 4.2)
- Affected: OTRS 3.2.x
– OTRS 3.2.x
– OTRS 3.1.x
– OTRS 3.0.x
– OTRS ITSM 3.2.x
– OTRS ITSM 3.1.x
– OTRS ITSM 3.0.x - Fixed in:
– OTRS 3.0.22, 3.1.18, 3.2.9, OTRS ITSM 3.0.9, 3.1.10, 3.2.7 - FULL CVSS v2 VECTORS
- SQL Injection:
(AV:L/AC:L/AU:S/C:N/I:C/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND) - XSS:
(AV:N/AC:L/AU:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND) - References:
– CVE-2013-4717 – SQL injection
– CVE-2013-4718 – XSS
Vulnerability Description
This Advisory covers vulnerabilities discovered in the OTRS core system and the OTRS ITSM modules.
- An attacker with a valid agent login could manipulate URLs leading to SQL injection.
- An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.
Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.21, 3.1.x up to and including 3.1.17 and 3.2.x up to and including 3.2.8 as well as all releases of OTRS ITSM 3.0.x up to and including 3.0.8, 3.1.x up to and including 3.1.9 and 3.2.x up to and including 3.2.6.
Recommended Resolution
This vulnerability is fixed in the latest versions of OTRS and the affected packages, and it is recommended to upgrade to one of these.
Here are detailed informations about the required changes:
OTRS
ITSM
OTRS ITSM 3.2.x:
OTRS ITSM 3.1.x:
OTRS ITSM 3.0.x:
However, to avoid unwanted side effects, we recommend a complete update.