Main Vulnerability Database SB2017111429

SB2017111429 - Information disclosure in Open Ticket Request System

Published: November 14, 2017 Updated: November 27, 2017

Security Bulletin ID SB2017111429

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-15864)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient input validation. A remote attacker who is logged into OTRS as an agent can request special URLs from OTRS, and retrieve any configuration information, including database credentials.

Remediation

Install update from vendor's website.

References

https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/