Vulnerability Details : CVE-2014-1471
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2014-1471
Probability of exploitation activity in the next 30 days: 0.41%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 71 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-1471
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-1471
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1471
-
http://www.debian.org/security/2014/dsa-2867
Debian -- Security Information -- DSA-2867-1 otrs2
-
https://github.com/OTRS/otrs/commit/2997b36a7c84e933c4b025930cabe93efc4d261d
Fixed: Missing quoting in State::StateGetStatesByType() (bug#10158). · OTRS/otrs@2997b36 · GitHubPatch
-
https://github.com/OTRS/otrs/commit/c4ec9205bde9c49770ddad94c1a980c006164949
Fixed: Missing quoting in State::StateGetStatesByType() (bug#10158). · OTRS/otrs@c4ec920 · GitHubPatch
-
http://www.securityfocus.com/bid/65241
OTRS CVE-2014-1471 Unspecified SQL Injection Vulnerabilitiy
-
http://www.openwall.com/lists/oss-security/2014/01/29/15
oss-security - Re: CVE Request: otrs: CSRF issue in customer web interface
-
https://www.otrs.com/security-advisory-2014-02-sql-injection-issue
404 Page | OTRSPatch;Vendor Advisory
-
https://github.com/OTRS/otrs/commit/0680603a07b8dc37c2ddca6ff14e0236babefc82
Fixed: Missing quoting in State::StateGetStatesByType() (bug#10158). · OTRS/otrs@0680603 · GitHubPatch
-
https://www.otrs.com/release-notes-otrs-help-desk-3-3-4
404 Page | OTRS
Products affected by CVE-2014-1471
- cpe:2.3:a:otrs:otrs:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.18:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:3.1.14:*:*:*:*:*:*:*