Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2010-0438 | First vendor Publication | 2010-02-09 |
Vendor | Cve | Last vendor Modification | 2010-09-09 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0438 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13628 | |||
Oval ID: | oval:org.mitre.oval:def:13628 | ||
Title: | DSA-1993-1 otrs2 -- sql injection | ||
Description: | It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise input data that is used on SQL queries, which might be used to inject arbitrary SQL to, for example, escalate privileges on a system that uses otrs2. The oldstable distribution is not affected. For the stable distribution, the problem has been fixed in version 2.2.7-2lenny3. For the testing distribution, the problem will be fixed soon. For the unstable distribution, the problem has been fixed in version 2.4.7-1. We recommend that you upgrade your otrs2 packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1993-1 CVE-2010-0438 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | otrs2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7539 | |||
Oval ID: | oval:org.mitre.oval:def:7539 | ||
Title: | DSA-1993 otrs2 -- sql injection | ||
Description: | It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise input data that is used on SQL queries, which might be used to inject arbitrary SQL to, for example, escalate privileges on a system that uses otrs2. The oldstable distribution is not affected. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1993 CVE-2010-0438 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | otrs2 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-02-22 | Name : Open Ticket Request System (OTRS) Multiple SQL Injection Vulnerabilities File : nvt/secpod_otrs_mult_sql_inj_vuln.nasl |
2010-02-18 | Name : Debian Security Advisory DSA 1993-1 (otrs2) File : nvt/deb_1993_1.nasl |
2010-02-10 | Name : FreeBSD Ports: otrs File : nvt/freebsd_otrs.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
62181 | OTRS (Open Ticket Request System) Unspecified SQL Injection OTRS (Open Ticket Request System) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to an unspecified script not properly sanitizing user-supplied input to an unspecified parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-07-14 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_otrs-100709.nasl - Type : ACT_GATHER_INFO |
2010-07-14 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_otrs-100712.nasl - Type : ACT_GATHER_INFO |
2010-07-14 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_otrs-100712.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1993.nasl - Type : ACT_GATHER_INFO |
2010-02-09 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_6b57541914cf11dfa628001517351c22.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2021-05-04 12:11:08 |
|
2021-04-22 01:11:39 |
|
2020-05-23 00:25:15 |
|
2016-06-28 18:01:19 |
|
2016-04-26 19:33:43 |
|
2014-02-17 10:53:43 |
|
2013-05-10 23:17:34 |
|