CVE-2014-9324

NameCVE-2014-9324
DescriptionThe GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3124-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)buster/non-free6.0.16-2fixed
bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2sourcesqueeze(not affected)
otrs2sourcewheezy3.1.7+dfsg1-8+deb7u5DSA-3124-1
otrs2source(unstable)3.3.9-3

Notes

[squeeze] - otrs2 <not-affected> (Problematic module got introduced later)
https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/
Fix for 3.1.x: https://github.com/OTRS/otrs/commit/3058438a372db0d1a11c365d48a5fc7b1db24e90
Search for package or bug name: Reporting problems