1213599 – (CVE-2023-38060) VUL-0: CVE-2023-38060: otrs: Improper Input Validation in Generic Interface modules leads to host header injection

Bug 1213599 (CVE-2023-38060) - VUL-0: CVE-2023-38060: otrs: Improper Input Validation in Generic Interface modules leads to host header injection

Summary: VUL-0: CVE-2023-38060: otrs: Improper Input Validation in Generic Interface m...

Status:	NEW

Alias:	CVE-2023-38060

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Wolfgang Engel
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/373294/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-24 12:29 UTC by Robert Frohl
Modified:	2023-07-24 13:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2023-07-24 12:29:27 UTC

CVE-2023-38060

Improper Input Validation vulnerability in the ContentType parameter for
attachments on TicketCreate or TicketUpdate operations of the OTRS Generic
Interface modules allows  any authenticated attacker to  to perform an host
header injection for the ContentType header of the attachment. 


This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35;
((OTRS)) Community Edition: from 6.0.1 through 6.0.34.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38060
https://www.cve.org/CVERecord?id=CVE-2023-38060
https://otrs.com/release-notes/otrs-security-advisory-2023-04/

Comment 1 Robert Frohl 2023-07-24 12:29:57 UTC

affecting openSUSE:Backports:*