Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

otrs2: [CVE-2007-2524] XSS vulnerability in index.pl

Related Vulnerabilities: CVE-2007-2524  

Source

Debian Bug report logs - #423524
otrs2: [CVE-2007-2524] XSS vulnerability in index.pl

version graph

Package: otrs2; Maintainer for otrs2 is Patrick Matthäi <pmatthaei@debian.org>; Source for otrs2 is src:otrs2 (PTS, buildd, popcon).

Reported by: SALVETTI Djoume <djoume@taket.org>

Date: Sat, 12 May 2007 15:36:02 UTC

Severity: normal

Tags: security

Found in version otrs2/2.0.4p01-17

Done: "Torsten Werner" <twerner@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugs.otrs.org/show_bug.cgi?id=1868

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Torsten Werner <twerner@debian.org>:
Bug#423524; Package otrs2. (full text, mbox, link).

Acknowledgement sent to SALVETTI Djoume <djoume@taket.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Torsten Werner <twerner@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: SALVETTI Djoume <djoume@taket.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: otrs2: [CVE-2007-2524] XSS vulnerability in index.pl
Date: Sat, 12 May 2007 17:31:14 +0200
Package: otrs2
Version: 2.0.4p01-17
Severity: normal
Tags: security


Hi,

According to CVE-2007-2524 :

| Cross-site scripting (XSS) vulnerability in index.pl in OTRS (Open
| Ticket Request System) 2.0.x allows remote attackers to inject
| arbitrary web script or HTML via the Subaction parameter in an
| AgentTicketMailbox Action.

More details and a PoC are available here :

http://www.virtuax.be/?page=library&id=35&type=Exploits

According to this site, 2.2 (in experimental) is not vulnerable, but I
haven't check myself.

I haven't check neither if OTRS 1.X is vulnerable.

Regards.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Noted your statement that Bug has been forwarded to http://bugs.otrs.org/show_bug.cgi?id=1868. Request was from Torsten Werner <twerner@debian.org> to control@bugs.debian.org. (Sat, 12 May 2007 16:09:01 GMT) (full text, mbox, link).

Bug no longer marked as found in version 2.0.4p01-18. Request was from Torsten Werner <twerner@debian.org> to control@bugs.debian.org. (Fri, 10 Aug 2007 18:00:02 GMT) (full text, mbox, link).

Bug no longer marked as found in version 2.0.4p01-18. Request was from Torsten Werner <twerner@debian.org> to control@bugs.debian.org. (Tue, 18 Sep 2007 18:39:02 GMT) (full text, mbox, link).

Reply sent to mail.twerner@googlemail.com:
You have taken responsibility. (full text, mbox, link).

Notification sent to SALVETTI Djoume <djoume@taket.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #16 received at 423524-done@bugs.debian.org (full text, mbox, reply):

From: "Torsten Werner" <twerner@debian.org>
To: 423524-done@bugs.debian.org
Subject: otrs2: [CVE-2007-2524] XSS vulnerability in index.pl
Date: Tue, 18 Sep 2007 21:50:08 +0200
The fix is in the current Etch release; closing the bug report now.

Torsten

-- 
blog: http://twerner.blogspot.com/
homepage: http://www.twerner42.de/

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 17 Oct 2007 07:30:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:18:26 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started