Security Information / 2015 / Security Information -- DSA-3124-1 otrs2

Debian Security Advisory

DSA-3124-1 otrs2 -- security update

Date Reported:

10 Jan 2015

Affected Packages:

otrs2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-9324.

More information:

Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered a privilege escalation vulnerability in otrs2, the Open Ticket Request System. An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured.

For the stable distribution (wheezy), this problem has been fixed in version 3.1.7+dfsg1-8+deb7u5.

For the upcoming stable distribution (jessie), this problem has been fixed in version 3.3.9-3.

For the unstable distribution (sid), this problem has been fixed in version 3.3.9-3.

We recommend that you upgrade your otrs2 packages.