CVSS: 7.5EPSS: 0%CPEs: 45EXPL: 0CVE-2014-1471
https://notcve.org/view.php?id=CVE-2014-1471
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL. Vulnerabilidad de inyección SQL en la función StateGetStatesByType en Kernel/System/State.pm en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores relacionados con la URL de búsqueda de tickets. • http://osvdb.org/102661 http://secunia.com/advisories/56644 http://secunia.com/advisories/56655 http://www.debian.org/security/2014/dsa-2867 http://www.openwall.com/lists/oss-security/2014/01/29/15 http://www.securityfocus.com/bid/65241 https://github.com/OTRS/otrs/commit/0680603a07b8dc37c2ddca6ff14e0236babefc82 https://github.com/OTRS/otrs/commit/2997b36a7c84e933c4b025930cabe93efc4d261d https://github.com/OTRS/otrs/commit/c4ec9205bde9c49770ddad94c1a980c006164949 https://www.otrs.com/release-notes-otrs • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4717
https://notcve.org/view.php?id=CVE-2013-4717
Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. Múltiples vulnerabilidades de inyección SQL en Open Ticket Request System (OTRS) Help Desk versiones 3.0.x anteriores a 3.0.22, 3.1.x anteriores a 3.1.18, y 3.2.x anteriores a 3.2.9, permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios por medio de vectores no especificados relacionados con los archivos Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm y Kernel/System/TicketSearch.pm • https://web.archive.org/web/20130817120539/http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2013-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •