Impact
SQL injection for all helpdesk instances.
On an existing ticket :
- save a sql injection in text field (like textarea for description):
description ', name='inject title
- save the ticket.
- click on addme_assign or addme_observer buttons -> Sql injection triggers
Severity not critical, as vulnerability requires technician account.
Patches
Fixed in ebca9b1
References
since 4f7b489
For more information
If you have any questions or comments about this advisory:
Impact
SQL injection for all helpdesk instances.
On an existing ticket :
description ', name='inject titleSeverity not critical, as vulnerability requires technician account.
Patches
Fixed in ebca9b1
References
since 4f7b489
For more information
If you have any questions or comments about this advisory: