CVE-2014-1694

Debian Security Advisory 2867-1

Severity Score

8.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.

Múltiples vulnerabilidades de CSRF en (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm y (4) CustomerTicketZoom.pm en Kernel/Modules/ en Open Ticket Request System (OTRS) 3.1.x anterior a 3.1.19, 3.2.x anterior a 3.2.14 y 3.3.x anterior a 3.3.4 permite a atacantes remotos secuestrar la auntenticación de usuarios arbitrarios para solicitudes que (5) crean tickets o (6) envían seguimientos a tickets existentes.

Several vulnerabilities were discovered in otrs2, the Open Ticket Request System.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-01-29 CVE Reserved
2014-02-04 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (12)

URL	Tag	Source
http://bugs.otrs.org/show_bug.cgi?id=10099	X_refsource_confirm
http://osvdb.org/102632	Vdb Entry
http://www.openwall.com/lists/oss-security/2014/01/29/15	Mailing List
http://www.openwall.com/lists/oss-security/2014/01/29/7	Mailing List
https://www.otrs.com/release-notes-otrs-help-desk-3-3-4	X_refsource_confirm

URL	Date	SRC
https://github.com/OTRS/otrs/commit/6f324aaf8647729d509eebf063a0181f9f9196f7	2024-08-06
https://github.com/OTRS/otrs/commit/92f417277f43832f1a0462f2485fe1fd3fd52312	2024-08-06
https://github.com/OTRS/otrs/commit/ca2c3390fd60d9a3f810ed2c22cbc2c193457b77	2024-08-06

URL	Date	SRC
https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface	2014-03-06

URL	Date	SRC
http://secunia.com/advisories/56644	2014-03-06
http://secunia.com/advisories/56655	2014-03-06
http://www.debian.org/security/2014/dsa-2867	2014-03-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		beta1		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		beta2		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		beta3		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		beta4		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		beta5		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.0 Search vendor "Otrs" for product "Otrs" and version "3.2.0"		rc1		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.1 Search vendor "Otrs" for product "Otrs" and version "3.2.1"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.2 Search vendor "Otrs" for product "Otrs" and version "3.2.2"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.3 Search vendor "Otrs" for product "Otrs" and version "3.2.3"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.4 Search vendor "Otrs" for product "Otrs" and version "3.2.4"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.5 Search vendor "Otrs" for product "Otrs" and version "3.2.5"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.6 Search vendor "Otrs" for product "Otrs" and version "3.2.6"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.7 Search vendor "Otrs" for product "Otrs" and version "3.2.7"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.8 Search vendor "Otrs" for product "Otrs" and version "3.2.8"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.9 Search vendor "Otrs" for product "Otrs" and version "3.2.9"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.2.10 Search vendor "Otrs" for product "Otrs" and version "3.2.10"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.0 Search vendor "Otrs" for product "Otrs" and version "3.1.0"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.1 Search vendor "Otrs" for product "Otrs" and version "3.1.1"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.2 Search vendor "Otrs" for product "Otrs" and version "3.1.2"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.3 Search vendor "Otrs" for product "Otrs" and version "3.1.3"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.4 Search vendor "Otrs" for product "Otrs" and version "3.1.4"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.5 Search vendor "Otrs" for product "Otrs" and version "3.1.5"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.6 Search vendor "Otrs" for product "Otrs" and version "3.1.6"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.7 Search vendor "Otrs" for product "Otrs" and version "3.1.7"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.8 Search vendor "Otrs" for product "Otrs" and version "3.1.8"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.9 Search vendor "Otrs" for product "Otrs" and version "3.1.9"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.10 Search vendor "Otrs" for product "Otrs" and version "3.1.10"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.11 Search vendor "Otrs" for product "Otrs" and version "3.1.11"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.13 Search vendor "Otrs" for product "Otrs" and version "3.1.13"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.14 Search vendor "Otrs" for product "Otrs" and version "3.1.14"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.15 Search vendor "Otrs" for product "Otrs" and version "3.1.15"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.16 Search vendor "Otrs" for product "Otrs" and version "3.1.16"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.17 Search vendor "Otrs" for product "Otrs" and version "3.1.17"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.1.18 Search vendor "Otrs" for product "Otrs" and version "3.1.18"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		beta1		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		beta2		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		beta3		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		beta4		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		beta5		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.0 Search vendor "Otrs" for product "Otrs" and version "3.3.0"		rc1		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.1 Search vendor "Otrs" for product "Otrs" and version "3.3.1"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.2 Search vendor "Otrs" for product "Otrs" and version "3.3.2"		-		Affected
Otrs Search vendor "Otrs"		Otrs Search vendor "Otrs" for product "Otrs"				3.3.3 Search vendor "Otrs" for product "Otrs" and version "3.3.3"		-		Affected