Code Injection in OTRS - CVE-2022-39051

 

Code Injection in OTRS - CVE-2022-39051

Published: September 9, 2022


Vulnerability identifier: #VU67155
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-39051
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: otrs.org
Affected software:
OTRS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Template Toolkit. A remote administrator can trick a victim to install an unverified 3th party package and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2022-39051

Install updates from vendor's website.

Sources