advisories/10352.adv

type: security
subject: Updated otrs package fixes security vulnerabilities
CVE:
 - CVE-2013-3551
 - CVE-2013-4088
src:
  2:
   core:
     - otrs-3.2.8-1.mga2
  3:
   core:
     - otrs-3.2.8-1.mga3
description: |
  An attacker with a valid agent login could manipulate URLs in the ticket
  watch mechanism to see contents of tickets they are not permitted to see
  (CVE-2013-3551, CVE-2013-4088).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=10352
 - http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/
 - http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
 - http://www.debian.org/security/2013/dsa-2696
 - http://www.debian.org/security/2013/dsa-2712
ID: MGASA-2013-0196
1	davidwhodgins	114	type: security
2			subject: Updated otrs package fixes security vulnerabilities
3			CVE:
4			- CVE-2013-3551
5			- CVE-2013-4088
6			src:
7			2:
8			core:
9			- otrs-3.2.8-1.mga2
10			3:
11			core:
12			- otrs-3.2.8-1.mga3
13			description: \|
14			An attacker with a valid agent login could manipulate URLs in the ticket
15			watch mechanism to see contents of tickets they are not permitted to see
16			(CVE-2013-3551, CVE-2013-4088).
17			references:
18			- https://bugs.mageia.org/show_bug.cgi?id=10352
19			- http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/
20			- http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
21			- http://www.debian.org/security/2013/dsa-2696
22			- http://www.debian.org/security/2013/dsa-2712
23	boklm	127	ID: MGASA-2013-0196