CVE-2017-9324
First published: Mon Jun 12 2017(Updated: )
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=3.3.0<=3.3.16 | |
| Otrs Otrs | >=4.0.0<=4.0.23 | |
| Otrs Otrs | >=5.0.0<=5.0.19 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/3.3.0
- version/otrs otrs/3.3.16
- version/otrs otrs/4.0.0
- version/otrs otrs/4.0.23
- version/otrs otrs/5.0.0
- version/otrs otrs/5.0.19
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0