| Name | CVE-2017-17476 |
| Description | Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1215-1, DSA-4069-1 |
| Debian Bugs | 884801 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| otrs2 (PTS) | jessie, jessie (lts) | 3.3.18-1+deb8u15 | fixed |
| stretch/non-free (security), stretch/non-free (lts), stretch/non-free | 5.0.16-1+deb9u6 | fixed | |
| buster/non-free (security), buster/non-free | 6.0.16-2+deb10u1 | fixed | |
| bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| otrs2 | source | wheezy | 3.3.18-1~deb7u3 | DLA-1215-1 | ||
| otrs2 | source | jessie | 3.3.18-1+deb8u4 | DSA-4069-1 | ||
| otrs2 | source | stretch | 5.0.16-1+deb9u5 | DSA-4069-1 | ||
| otrs2 | source | (unstable) | 6.0.3-1 | 884801 |
https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
OTRS-6: https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
OTRS-5: https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
OTRS-4: https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb