FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

otrs -- SQL injection

Affected packages
otrs < 2.4.7

Details

VuXML ID 6b575419-14cf-11df-a628-001517351c22
Discovery 2010-02-08
Entry 2010-02-08
Modified 2010-05-02

OTRS Security Advisory reports:

Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements.

A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions).

To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session.

References

CVE Name CVE-2010-0438
URL http://otrs.org/advisory/OSA-2010-01-en/