CVE-2014-1471 — SQL Injection in Otrs

CWE-89 — SQL Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

1.6%

top 18.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Otrs2 Otrs

Timeline

PublishedFeb 4

Latest updateMay 17

Description

SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/otrs2< otrs2 3.3.4-1 (bullseye)

▶NVDotrs/otrs33 versions+32

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-29c7-wxj9-99jf: SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State↗2022-05-17

▶

OSV

CVE-2014-1471: SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State↗2014-02-04

▶

📋Vendor Advisories

Debian

CVE-2014-1471: otrs2 - SQL injection vulnerability in the StateGetStatesByType function in Kernel/Syste...↗2014

▶