Date: Wed, 29 Jan 2014 10:57:57 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: security@...s.org, pmatthaei@...ian.org Subject: CVE Request: otrs: CSRF issue in customer web interface Hi A CSRF issue in otrs was announced in . Is a CVE for this issue already assigned? >From upstream announcement: An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks. Commits for various branches (3.1.x, 3.2.x and 3.3.x) are in ,  and . Bugreport at .  https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/  https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77  https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7  https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312  http://bugs.otrs.org/show_bug.cgi?id=10099 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.