Date: Wed, 29 Jan 2014 10:57:57 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: security@...s.org, pmatthaei@...ian.org Subject: CVE Request: otrs: CSRF issue in customer web interface Hi A CSRF issue in otrs was announced in . Is a CVE for this issue already assigned? >From upstream announcement: An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks. Commits for various branches (3.1.x, 3.2.x and 3.3.x) are in ,  and . Bugreport at .  https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/  https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77  https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7  https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312  http://bugs.otrs.org/show_bug.cgi?id=10099 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ