22947 2010-02-11 20:25:17 +0300 CVE-2010-0438: Vulnerability in OTRS-Core allows SQL-Injection 2010-02-21 22:32:37 +0300 1 1 4 Development Sisyphus otrs unstable all Linux CLOSED FIXED http://otrs.org/advisory/OSA-2010-01-en/ security P3 blocker --- 1 ldv asy asy pavel.zilke zidex qa-sisyphus oldest_to_newest 106630 0 ldv 2010-02-11 20:25:17 +0300 Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements. A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions). To use this vulnerability the malicious user needs to have a valid Agent-or Customer-session. 106979 1 repository-robot 2010-02-21 22:32:37 +0300 otrs-2.4.7-alt1 -> sisyphus: * Sun Feb 21 2010 Pavel Zilke <zidex at altlinux> 2.4.7-alt1 - Security fixes: + Vulnerability in OTRS-Core allows SQL-Injection; CVE-2010-0438 (ALT #22947)