fkie_nvd - fkie_cve-2014-1694

fkie_cve-2014-1694

Vulnerability from fkie_nvd

Published

2014-02-04 21:55

Modified

2025-04-11 00:51

Severity ?

Summary

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.

References

URL	Tags
cve@mitre.org	http://bugs.otrs.org/show_bug.cgi?id=10099
cve@mitre.org	http://osvdb.org/102632
cve@mitre.org	http://secunia.com/advisories/56644	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/56655	Vendor Advisory
cve@mitre.org	http://www.debian.org/security/2014/dsa-2867
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/01/29/15
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/01/29/7
cve@mitre.org	https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7	Exploit, Patch
cve@mitre.org	https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312	Exploit, Patch
cve@mitre.org	https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77	Exploit, Patch
cve@mitre.org	https://www.otrs.com/release-notes-otrs-help-desk-3-3-4
cve@mitre.org	https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://bugs.otrs.org/show_bug.cgi?id=10099
af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/102632
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/56644	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/56655	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2014/dsa-2867
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/01/29/15
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/01/29/7
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	https://www.otrs.com/release-notes-otrs-help-desk-3-3-4
af854a3a-2127-422b-91ae-364da2661108	https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
otrs	otrs	3.2.0
otrs	otrs	3.2.0
otrs	otrs	3.2.0
otrs	otrs	3.2.0
otrs	otrs	3.2.0
otrs	otrs	3.2.0
otrs	otrs	3.2.0
otrs	otrs	3.2.1
otrs	otrs	3.2.2
otrs	otrs	3.2.3
otrs	otrs	3.2.4
otrs	otrs	3.2.5
otrs	otrs	3.2.6
otrs	otrs	3.2.7
otrs	otrs	3.2.8
otrs	otrs	3.2.9
otrs	otrs	3.2.10
otrs	otrs	3.1.0
otrs	otrs	3.1.1
otrs	otrs	3.1.2
otrs	otrs	3.1.3
otrs	otrs	3.1.4
otrs	otrs	3.1.5
otrs	otrs	3.1.6
otrs	otrs	3.1.7
otrs	otrs	3.1.8
otrs	otrs	3.1.9
otrs	otrs	3.1.10
otrs	otrs	3.1.11
otrs	otrs	3.1.13
otrs	otrs	3.1.14
otrs	otrs	3.1.15
otrs	otrs	3.1.16
otrs	otrs	3.1.17
otrs	otrs	3.1.18
otrs	otrs	3.3.0
otrs	otrs	3.3.0
otrs	otrs	3.3.0
otrs	otrs	3.3.0
otrs	otrs	3.3.0
otrs	otrs	3.3.0
otrs	otrs	3.3.0
otrs	otrs	3.3.1
otrs	otrs	3.3.2
otrs	otrs	3.3.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2206E940-7C63-43A5-A041-CA13A84312A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "EB051883-3917-414F-8A36-B51E833451E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "445641C8-5D1E-463E-8C00-1CD4E18B2B5E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "24C72855-1DF6-4456-A68A-89458C2EA7D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "A84F186F-D5F9-4968-BA39-2B44FFD2119F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "2F58F68B-CCB5-408B-A721-05E355E9A2EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "9C41A2AB-BED9-4185-A71B-23F6CF101DA9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EADC2C11-F0BB-4763-9B7D-D8ACCD259DA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4BF18770-E861-4689-9040-A6E4BCB03D88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "77E1C1A9-4835-467D-8FA9-D93814634476",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "097B8F4A-66E7-46E9-B624-EA26F8687181",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B223E5A-9A4B-466B-BC0F-4C0400E70E64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "A30D8237-63CD-4075-B533-3E537A5B0D42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "8821F99A-24D8-483E-AD56-AA5D34BF47FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0B6966E-47DA-4852-87E0-E768CCE07012",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "F638AF98-56CC-44A3-94E7-B7CCBAAFCE8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.2.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "F52F5362-FFE8-49F4-97A9-2BE4D855AF3A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "55EB05A1-9965-40D2-BABF-A666BE857166",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "777A992E-1D05-493F-8E2F-15AB3F2A4562",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "828189F1-EF8B-485C-946F-C12CCEE4E27D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D8020EA-A636-4C9B-A080-3EF092DF583B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C3C84E0-F4C1-4BDC-B7C1-519C4499FEC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "51877344-2358-400D-89D5-6273992571FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FC3B407-4C93-422F-800B-E747068826E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "52A10F00-2869-4DDE-9548-B374EBC14C12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BF985A8-DB88-47DA-9F9A-B63F727D8239",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A1D5FC4-BDFC-4D46-B722-8BFAC91C819F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "5189FACC-454A-4AFD-A08C-0F4F7158EDEB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "5959FA82-043D-42A6-BB7A-C4D37350C5C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7DC1416-3EBF-4FA9-9A4E-0737BFFD4DA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "B30DBAFD-3213-4473-8F3A-783035D6ED9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1729DB9-48DB-49D5-8F81-567D01B91866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB3AF271-B4CA-4217-A96A-835133AF517B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "EDF17BC5-DEB1-47A1-9734-14F56F0B8DDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.1.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9A73332-DDB0-4C16-BB5B-4C4A3F90BF8C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B4C9653-D2B6-4A2E-A1E3-59D9E47D4F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "F950A3B9-9347-4271-9AE2-816BB37F2FF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "78F12260-F695-492E-9F93-34873E8CD42B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFBFFA0-A57E-44A8-9D37-25AD4D0D36F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "C2ACF399-6BD0-4753-A8FA-A7031C5E898D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "E314819D-7CF9-4DCC-8007-CFE73F3138A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1D286118-DA1F-43A4-9B0B-9A340887EA88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "82E2C445-2CC0-4F4E-BF4E-C2987E273448",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAB02A9C-AE23-4DF6-88E7-A606A3483036",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:3.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1AEB95F-BF0E-42DE-BB47-3CB10BB27DA7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de CSRF en (1)  CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm y (4) CustomerTicketZoom.pm en Kernel/Modules/ en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a atacantes remotos secuestrar la auntenticaci\u00f3n de usuarios arbitrarios para solicitudes que (5) crean tickets o (6) env\u00edan seguimientos a tickets existentes."
    }
  ],
  "id": "CVE-2014-1694",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-02-04T21:55:05.640",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://bugs.otrs.org/show_bug.cgi?id=10099"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/102632"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56644"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56655"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2014/dsa-2867"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/29/15"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/29/7"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.otrs.com/release-notes-otrs-help-desk-3-3-4"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bugs.otrs.org/show_bug.cgi?id=10099"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/102632"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56644"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56655"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2014/dsa-2867"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/29/15"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/29/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.otrs.com/release-notes-otrs-help-desk-3-3-4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2014-1694 (GCVE-0-2014-1694)

Vulnerability from cvelistv5

Published

2014-02-04 16:00