CVE-2014-1694 — Cross-Site Request Forgery in Otrs

CWE-352 — Cross-Site Request Forgery5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.6%

top 30.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Otrs2 Otrs

Timeline

PublishedFeb 4

Latest updateMay 17

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/otrs2< otrs2 3.3.4-1 (bullseye)

▶NVDotrs/otrs33 versions+32

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-gvjm-c4hq-cvw7: Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences↗2022-05-17

▶

OSV

CVE-2014-1694: Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences↗2014-02-04

▶

💥Exploits & PoCs

Exploit-DB

Procentia IntelliPen 1.1.12.1520 - 'data.aspx' Blind SQL Injection↗2014-03-12

▶

📋Vendor Advisories

Debian

CVE-2014-1694: otrs2 - Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPrefer...↗2014

▶