Advisories ยป MGASA-2014-0094

Updated otrs packages fix security vulnerabilities and a missing dependency

Publication date: 25 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1694 , CVE-2014-1471


Updated otrs package fixes security vulnerabilities:

In OTRS before 3.2.14, an attacker that managed to take over the session of a
logged in customer could create tickets and/or send follow-ups to existing
tickets due to missing challenge token checks (CVE-2014-1694).

In OTRS before 3.2.14, an attacker with a valid customer or agent login could
inject SQL in the ticket search URL (CVE-2014-1471).

The update also adds a missing dependency which prevented database creation
during web based installation.