Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jan 2014 10:57:57 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: CVE Request: otrs: CSRF issue in customer web interface


A CSRF issue in otrs was announced in [1]. Is a CVE for this issue
already assigned?

>From upstream announcement:

An attacker that managed to take over the session of a logged in
customer could create tickets and/or send follow-ups to existing
tickets due to missing challenge token checks.

Commits for various branches (3.1.x, 3.2.x and 3.3.x) are in [2], [3]
and [4].

Bugreport at [5].



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ