CVE-2017-16664
published 2017-11-21CVE-2017-16664: Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent…
PriorityP355high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
2.49%
82.7th percentile
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | otrs2 | < otrs2 5.0.24-1 (bullseye) | otrs2 5.0.24-1 (bullseye) |
| otrs | otrs | >= 3.3.0 < 3.3.20 | 3.3.20 |
| otrs | otrs | >= 4.0.0 < 4.0.26 | 4.0.26 |
| otrs | otrs | >= 5.0.0 < 5.0.24 | 5.0.24 |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-16664: otrs2 - Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System...
vendor_debian·2017·CVSS 8.8
CVE-2017-16664 [HIGH] CVE-2017-16664: otrs2 - Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System...
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
Scope: local
bullseye: resolved (fixed in 5.0.24-1)
GHSA
GHSA-fw6p-44w4-4vwh: Code injection exists in Kernel/System/Spelling
ghsa_unreviewed·2022-05-14
CVE-2017-16664 [HIGH] CWE-94 GHSA-fw6p-44w4-4vwh: Code injection exists in Kernel/System/Spelling
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
OSV
CVE-2017-16664: Code injection exists in Kernel/System/Spelling
osv·2017-11-21·CVSS 8.8
CVE-2017-16664 [HIGH] CVE-2017-16664: Code injection exists in Kernel/System/Spelling
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.debian.org/debian-lts-announce/2017/12/msg00015.htmlhttps://www.debian.org/security/2017/dsa-4047https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/https://lists.debian.org/debian-lts-announce/2017/12/msg00015.htmlhttps://www.debian.org/security/2017/dsa-4047https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/
2017-11-21
Published