oss-sec mailing list archives

CVE Request: otrs: CSRF issue in customer web interface

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 29 Jan 2014 10:57:57 +0100

Hi

A CSRF issue in otrs was announced in [1]. Is a CVE for this issue
already assigned?

From upstream announcement:


An attacker that managed to take over the session of a logged in
customer could create tickets and/or send follow-ups to existing
tickets due to missing challenge token checks.

Commits for various branches (3.1.x, 3.2.x and 3.3.x) are in [2], [3]
and [4].

Bugreport at [5].

 [1] https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
 [2] https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77
 [3] https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7
 [4] https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312
 [5] http://bugs.otrs.org/show_bug.cgi?id=10099

Regards,
Salvatore

Current thread:

CVE Request: otrs: CSRF issue in customer web interface Salvatore Bonaccorso (Jan 29)
- Re: [Ticket#2014012942020471] CVE Request: otrs: CSRF issue in customer web interface Jens Bothe via OTRS Security Team (Jan 29)
- Re: CVE Request: otrs: CSRF issue in customer web interface cve-assign (Jan 29)