openSUSE-SU-2017:1571-1

Опубликовано: 15 июн. 2017

Источник: suse-cvrf

Описание

Security update for otrs

This update for otrs fixes the following issues:

CVE-2017-9324: Incorrect Access Control in OTRS - Improved SecureMode detection in Installer (OSA-2017-03, bsc#1043086)
bsc#1043244: Reflected cross-site scripting in OTRS, customer search should not return results for internal (OSA-2017-02)

In addition, OTRS was updated to 3.3.17 with the following fixes:

Function 'SystemDataGroupGet' has problems with empty values in oracle
Base64 encoded image does not display in article
Chrome could not display attached PDF files

Список пакетов

openSUSE Leap 42.2

otrs-3.3.17-5.3.1

otrs-doc-3.3.17-5.3.1

otrs-itsm-3.3.14-5.3.1

Ссылки

https://lists.opensuse.org/opensuse-updates/2017-06/msg00048.html
E-Mail link for openSUSE-SU-2017:1571-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end.

Затронутые продукты

openSUSE Leap 42.2:otrs-3.3.17-5.3.1

openSUSE Leap 42.2:otrs-doc-3.3.17-5.3.1

openSUSE Leap 42.2:otrs-itsm-3.3.14-5.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2017-9324.html
CVE-2017-9324
https://bugzilla.suse.com/1043086
SUSE Bug 1043086
https://bugzilla.suse.com/1043244
SUSE Bug 1043244

openSUSE-SU-2017:1571-1

Описание

Список пакетов

openSUSE Leap 42.2

Ссылки

Уязвимость: CVE-2017-9324

Описание

Затронутые продукты

Ссылки