6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
71.4%
OTRS Security Advisory reports:
Missing security quoting for SQL statements allows agents and
customers to manipulate SQL queries. So it’s possible for
authenticated users to inject SQL queries
via string manipulation of statements.
A malicious user may be able to manipulate SQL queries to read
or modify records in the database. This way it could also be
possible to get access to more permissions (e. g. administrator
permissions).
To use this vulnerability the malicious user needs to have
a valid Agent- or Customer-session.