CVE-2017-17476

NameCVE-2017-17476
DescriptionOpen Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1215-1, DSA-4069-1
Debian Bugs884801

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2sourcewheezy3.3.18-1~deb7u3DLA-1215-1
otrs2sourcejessie3.3.18-1+deb8u4DSA-4069-1
otrs2sourcestretch5.0.16-1+deb9u5DSA-4069-1
otrs2source(unstable)6.0.3-1884801

Notes

https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
OTRS-6: https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
OTRS-5: https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
OTRS-4: https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb

Search for package or bug name: Reporting problems