Описание
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| otrs2 | fixed | 4.0.7-2 | package | |
| otrs2 | fixed | 3.3.18-1+deb8u2 | jessie | package |
Примечания
https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/
https://github.com/OTRS/otrs/compare/3bc58ebeb9bdbe8107251a03cf7b9b8cfc515f53...80a0a9a138278d63a2621d146eb3c29e982aa2d5
Root cause for the issue is the recursive parsing handling in the old
DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4
OTRS switched to a new Template::Toolkit based engine which does not perform
recursive parsing and not affected by this issue.
EPSS
Связанные уязвимости
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
EPSS