Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
bugs.otrs.org/show_bug.cgi?id=10099
osvdb.org/102632
secunia.com/advisories/56644
secunia.com/advisories/56655
www.debian.org/security/2014/dsa-2867
www.openwall.com/lists/oss-security/2014/01/29/15
www.openwall.com/lists/oss-security/2014/01/29/7
github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7
github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312
github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77
www.otrs.com/release-notes-otrs-help-desk-3-3-4
www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface