6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.2 High
AI Score
Confidence
Low
0.006 Low
EPSS
Percentile
78.4%
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
bugs.otrs.org/show_bug.cgi?id=10099
osvdb.org/102632
secunia.com/advisories/56644
secunia.com/advisories/56655
www.debian.org/security/2014/dsa-2867
www.openwall.com/lists/oss-security/2014/01/29/15
www.openwall.com/lists/oss-security/2014/01/29/7
github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7
github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312
github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77
www.otrs.com/release-notes-otrs-help-desk-3-3-4
www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface