Published: 20/12/2017 Updated: 03/10/2019

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Open Ticket Request System (OTRS) 4.0.x prior to 4.0.28, 5.0.x prior to 5.0.26, and 6.0.x prior to 6.0.3, when cookie support is disabled, might allow remote malicious users to hijack web sessions and consequently gain privileges via a crafted email.

Vulnerable Product	Search on Vulmon	Subscribe to Product
otrs otrs
debian debian linux 7.0
debian debian linux 8.0
debian debian linux 9.0

Debian Bug report logs - #884801 otrs2: CVE-2017-17476: OSA-2017-10: Session hijacking Package: src:otrs2; Maintainer for src:otrs2 is Patrick Matthäi <pmatthaei@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 19 Dec 2017 20:24:01 UTC Severity: grave Tags: patch, security, upstream Fou ...

Francesco Sirocco discovered a flaw in otrs2, the Open Ticket Request System, which could result in session information disclosure when cookie support is disabled A remote attacker can take advantage of this flaw to take over an agent's session if the agent is tricked into clicking a link in a specially crafted mail For the oldstable distribution ...

CWE-200 https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953 https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb https://www.debian.org/security/2017/dsa-4069 https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884801 https://nvd.nist.gov https://www.debian.org/security/./dsa-4069

CVE-2017-17476

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect