Vulnerability Name: | CVE-2017-17476 (CCN-136694) | ||||||||||||||||||||||||||||||||||||||||
Assigned: | 2017-12-19 | ||||||||||||||||||||||||||||||||||||||||
Published: | 2017-12-19 | ||||||||||||||||||||||||||||||||||||||||
Updated: | 2019-10-03 | ||||||||||||||||||||||||||||||||||||||||
Summary: | Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. | ||||||||||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-200 | ||||||||||||||||||||||||||||||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2017-17476 Source: XF Type: UNKNOWN otrs-cve201717476-session-hijacking(136694) Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953 Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20171220 [SECURITY] [DLA 1215-1] otrs2 security update Source: DEBIAN Type: Third Party Advisory DSA-4069 Source: CCN Type: OTRS Security Advisory: OSA-2017-10 Security Update for OTRS Framework Source: CONFIRM Type: Patch, Vendor Advisory https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/ Source: CCN Type: WhiteSource Vulnerability Database CVE-2017-17476 | ||||||||||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
BACK |