Debian Security Advisory
DSA-1298-1 otrs2 -- missing input sanitising
- Date Reported:
- 28 May 2007
- Affected Packages:
- otrs2
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2007-2524.
- More information:
-
It was discovered that the Open Ticket Request System performs insufficient input sanitising for the Subaction parameter, which allows the injection of arbitrary web script code.
The oldstable distribution (sarge) doesn't include otrs2.
For the stable distribution (etch) this problem has been fixed in version 2.0.4p01-18.
The unstable distribution (sid) isn't affected by this problem.
We recommend that you upgrade your otrs2 package.
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/o/otrs2/otrs2_2.0.4p01-18.dsc
- http://security.debian.org/pool/updates/main/o/otrs2/otrs2_2.0.4p01-18.diff.gz
- http://security.debian.org/pool/updates/main/o/otrs2/otrs2_2.0.4p01.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/otrs2/otrs2_2.0.4p01-18.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/o/otrs2/otrs2_2.0.4p01-18_all.deb
MD5 checksums of the listed files are available in the original advisory.