FreeBSD : otrs -- SQL injection (6b575419-14cf-11df-a628-001517351c22)

medium Nessus Plugin ID 44407

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

OTRS Security Advisory reports :

Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements.

A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions).

To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session.

Solution

Update the affected package.

See Also

https://otrs.com

http://www.nessus.org/u?d6f756a4

Plugin Details

Severity: Medium

ID: 44407

File Name: freebsd_pkg_6b57541914cf11dfa628001517351c22.nasl

Version: 1.11

Type: local

Published: 2/9/2010

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:otrs, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/8/2010

Vulnerability Publication Date: 2/8/2010

Reference Information

CVE: CVE-2010-0438

CWE: 89