CVE-2013-4717

Vulnerability

Multiple SQL injection vulnerabilities exist in Open Ticket Request System (OTRS) Help Desk versions 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 [1]. The flaws are located in several kernel modules: Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. An attacker must have a valid agent login to reach the vulnerable code paths.

Exploitation

An attacker with a valid agent login can manipulate certain URLs (or unspecified input vectors) that are processed by the vulnerable Perl modules. By crafting malicious input, the attacker can inject arbitrary SQL commands into database queries executed by the application [1]. No further privileges beyond standard agent access are required; the attack does not require user interaction from other parties.

Impact

Successful exploitation allows a remote authenticated attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized reading, modification, or deletion of data, potentially including sensitive ticket information, user credentials, and configuration data. The attacker operates with the database privileges of the OTRS application user.

Mitigation

The OTRS project released fixed versions: OTRS 3.0.22, 3.1.18, and 3.2.9 [1]. Administrators should upgrade to these versions or later. No workarounds are documented in the available references. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.