CVE-2022-4427
published 2022-12-19CVE-2022-4427: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects…
PriorityP352critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
49.1th percentile
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice
This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | otrs2 | < znuny 6.4.5-1 (bookworm) | znuny 6.4.5-1 (bookworm) |
| debian | znuny | < znuny 6.4.5-1 (bookworm) | znuny 6.4.5-1 (bookworm) |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | 6.0.1 – 6.0.34 | — |
| otrs | otrs | >= 7.0.1 < 7.0.40 | 7.0.40 |
| otrs | otrs | >= 8.0.1 < 8.0.28 | 8.0.28 |
| otrs_ag | community_edition | 6.0.1 – 6.0.34 | — |
| otrs_ag | otrs | >= 7.0.1 < 7.0.40 Patch 1 | 7.0.40 Patch 1 |
| otrs_ag | otrs | >= 8.0.1 < 8.0.28 Patch 1 | 8.0.28 Patch 1 |
| znuny | znuny | >= 0 < 6.4.5-1 | 6.4.5-1 |
| znuny | znuny | >= 0 < 6.4.5-1 | 6.4.5-1 |
| znuny | znuny | >= 0 < 6.4.5-1 | 6.4.5-1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
cisa9.8CRITICAL
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qgm5-3gxj-29mw: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issu
ghsa_unreviewed·2022-12-19
CVE-2022-4427 [CRITICAL] CWE-20 GHSA-qgm5-3gxj-29mw: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issu
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
OSV
CVE-2022-4427: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issu
osv·2022-12-19·CVSS 9.8
CVE-2022-4427 [CRITICAL] CVE-2022-4427: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issu
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Debian
CVE-2022-4427: otrs2 - Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Commun...
vendor_debian·2022·CVSS 6.5
CVE-2022-4427 [MEDIUM] CVE-2022-4427: otrs2 - Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Commun...
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Scope: local
bullseye: open
CISA
IBM Data Risk Manager Security Bypass Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-4427 [CRITICAL] IBM Data Risk Manager Security Bypass Vulnerability
Vulnerability: IBM Data Risk Manager Security Bypass Vulnerability
Affected: IBM Data Risk Manager
IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-4427
Remediation Due Date: 2022-05-03
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-19
Published