CVE-2016-5843
Published: 17 September 2016
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.
Notes
Author | Note |
---|---|
ratliff | FAQ is a separate module |
Priority
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | Low |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
References
- https://github.com/OTRS/FAQ/commit/3700f75c67f6ed1d39bc213445c6d12a458e1af9
- https://github.com/OTRS/FAQ/commit/8c9d63bd0297adda760330805c31afc130861557
- https://github.com/OTRS/FAQ/commit/b805703e7b7725d1f3040bb626a4c4dd845ee9e3
- https://www.otrs.com/security-advisory-2016-01-security-update-otrs-faq-package/
- https://www.cve.org/CVERecord?id=CVE-2016-5843
- NVD
- Launchpad
- Debian