Bug 1213599 (CVE-2023-38060)

Summary: VUL-0: CVE-2023-38060: otrs: Improper Input Validation in Generic Interface modules leads to host header injection
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Wolfgang Engel <wolfgang.engel>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dmueller
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373294/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-24 12:29:27 UTC 
CVE-2023-38060

Improper Input Validation vulnerability in the ContentType parameter for
attachments on TicketCreate or TicketUpdate operations of the OTRS Generic
Interface modules allows  any authenticated attacker to  to perform an host
header injection for the ContentType header of the attachment. 


This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35;
((OTRS)) Community Edition: from 6.0.1 through 6.0.34.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38060
https://www.cve.org/CVERecord?id=CVE-2023-38060
https://otrs.com/release-notes/otrs-security-advisory-2023-04/
Comment 1 Robert Frohl 2023-07-24 12:29:57 UTC 
affecting openSUSE:Backports:*