Bug 871758 - VUL-0: CVE-2014-2553, CVE-2014-2554: otrs: XSS vulnerability and clickjacking-issue
VUL-0: CVE-2014-2553, CVE-2014-2554: otrs: XSS vulnerability and clickjacking...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P5 - None : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/97602/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-03 07:16 UTC by Alexander Bergmann
Modified: 2015-02-19 07:03 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-03 07:16:13 UTC
CVE-2014-2553

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.

openSUSE:12.3: 3.1.20
openSUSE:13.1: 3.2.15

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2553
https://www.otrs.com/security-advisory-2014-04-xss-issue
http://secunia.com/advisories/57616
Comment 1 Christian Wittmer 2014-04-03 20:06:48 UTC
ongoing work
Comment 2 Swamp Workflow Management 2014-04-03 22:00:15 UTC
bugbot adjusting priority
Comment 3 Christian Wittmer 2014-04-03 22:56:29 UTC
fixed and Maintenance Request created

https://build.opensuse.org/request/show/228958
Comment 4 Bernhard Wiedemann 2014-04-04 00:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (871758) was mentioned in
https://build.opensuse.org/request/show/228960 Factory / otrs
Comment 5 Alexander Bergmann 2014-04-08 07:28:24 UTC
This bug combines now two OTRS Security Advisories. Both CVEs where fixed with the submissions from comment 3 and comment 4.

OSA-2014-04: CVE-2014-2553
http://www.otrs.com/security-advisory-2014-04-xss-issue/

OSA-2014-05: CVE-2014-2554
http://www.otrs.com/security-advisory-2014-05-clickjacking-issue/
Comment 6 Swamp Workflow Management 2014-04-22 14:04:55 UTC
openSUSE-SU-2014:0561-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 871758
CVE References: CVE-2014-2553,CVE-2014-2554
Sources used:
openSUSE 13.1 (src):    otrs-3.2.16-31.9.1
openSUSE 12.3 (src):    otrs-3.1.21-26.15.1