Updated otrs packages fix multiple vulnerabilities
Publication date: 24 Apr 2014Modification date: 24 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-2553 , CVE-2014-2554
Description
Updated otrs package fixes security vulnerabilities:
A logged in attacker could insert special content in dynamic fields, leading
to JavaScript code being executed in OTRS (CVE-2014-2553).
An attacker could embed OTRS in a hidden iframe tag of another page,
tricking the user into clicking links in OTRS (CVE-2014-2554).
References
- https://www.otrs.com/security-advisory-2014-04-xss-issue/
- https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/
- https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/
- http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html
- https://bugs.mageia.org/show_bug.cgi?id=13252
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2553
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2554
SRPMS
3/core
- otrs-3.2.16-1.mga3
4/core
- otrs-3.2.16-1.mga4