Release Notes

Security Advisory 2013-05 – Sql Injection + Xss Issue

OTRS Group, the world’s leading provider of the OTRS service management suite, including the fully managed OTRS solution and the ITIL® V3-compliant IT service management software OTRS::ITSM.

July 9, 2013 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability

security@otrs.org

...

 

[one_half nr=”first”]

Security Advisory Details

  • Date: July 9, 2013
  • Title: Sql Injection + Xss Issue
  • Severity: Medium (Overall CVSS Score SQL Injection: 3.6, CVSS Score XSS: 4.2)
  • Affected: OTRS 3.2.x
    – OTRS 3.2.x
    – OTRS 3.1.x
    – OTRS 3.0.x
    – OTRS ITSM 3.2.x
    – OTRS ITSM 3.1.x
    – OTRS ITSM 3.0.x
  • Fixed in:
    – OTRS 3.0.22, 3.1.18, 3.2.9, OTRS ITSM 3.0.9, 3.1.10, 3.2.7
  • FULL CVSS v2 VECTORS
  • SQL Injection:
    (AV:L/AC:L/AU:S/C:N/I:C/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND)
  • XSS:
    (AV:N/AC:L/AU:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND)
  • References:
    – CVE-2013-4717 – SQL injection
    – CVE-2013-4718 – XSS

[/one_half][one_half nr=”last”]

Vulnerability Description

This Advisory covers vulnerabilities discovered in the OTRS core system and the OTRS ITSM modules.

  • An attacker with a valid agent login could manipulate URLs leading to SQL injection.
  • An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.

Affected by this vulnerability are all releases of OTRS 3.0.x up to and including 3.0.21, 3.1.x up to and including 3.1.17 and 3.2.x up to and including 3.2.8 as well as all releases of OTRS ITSM 3.0.x up to and including 3.0.8, 3.1.x up to and including 3.1.9 and 3.2.x up to and including 3.2.6.

[/one_half]

Recommended Resolution

This vulnerability is fixed in the latest versions of OTRS and the affected packages, and it is recommended to upgrade to one of these.

Here are detailed informations about the required changes:

OTRS

3.2: https://github.com/OTRS/otrs/commit/d367b70fa98a2d147364f1b8e50dfe9de8585ecd and https://github.com/OTRS/otrs/commit/1ccab9fb4cf2137e818efe99cb080df549835656

3.1: https://github.com/OTRS/otrs/commit/fc3b3c0c41800edaaefc843dc45f03028cf72e43 and https://github.com/OTRS/otrs/commit/a29b8820517b1ebad179b24638cecf9aefd15bc3

3.0: https://github.com/OTRS/otrs/commit/0ee00da3c37680b93e930d120f318ab6a765ed5a and https://github.com/OTRS/otrs/commit/3f22791652dcdb37f886354565f817dcb3ef1314

ITSM

OTRS ITSM 3.2.x:

OTRS ITSM 3.1.x:

OTRS ITSM 3.0.x:

However, to avoid unwanted side effects, we recommend a complete update.

Release Name:

Security Advisory 2013-05 – Sql Injection + Xss Issue
PGP Key

  • pub 2048R/9C227C6B 2011-03-21 [expires at: 2014-03-20]
  • uid OTRS Security Team <security@otrs.org>
  • Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Archives