CVE-2017-17476

EUVD-2017-8638
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
otrsotrs
4.0.0 ≤
𝑥
< 4.0.28
otrsotrs
5.0.0 ≤
𝑥
< 5.0.26
otrsotrs
6.0.0 ≤
𝑥
< 6.0.3
debiandebian_linux
7.0
debiandebian_linux
8.0
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
otrs2
bullseye/non-free
6.0.32-6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
otrs2
artful
ignored
bionic
not-affected
cosmic
not-affected
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
mantic
dne
noble
dne
trusty
dne
xenial
needed
zesty
ignored
Common Weakness Enumeration
References
https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html
https://www.debian.org/security/2017/dsa-4069
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html
https://www.debian.org/security/2017/dsa-4069
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/