Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2080 to the following vulnerability: Name: CVE-2010-2080 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2080 Assigned: 20100526 Reference: CONFIRM: http://otrs.org/advisory/OSA-2010-02-en/ Reference: CONFIRM: http://security-tracker.debian.org/tracker/CVE-2010-2080 Reference: BID:43264 Reference: URL: http://www.securityfocus.com/bid/43264 Reference: SECUNIA:41381 Reference: URL: http://secunia.com/advisories/41381 Reference: XF:otrs-unspecified-xss(61868) Reference: URL: http://xforce.iss.net/xforce/xfdb/61868 Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. EPEL5 ships OTRS 2.1.7 which looks at first glance to be vulnerable to some, if not all, of these issues. Patches: http://source.otrs.org/viewvc.cgi/otrs/Kernel/Output/HTML/Standard/AgentStatsOverview.dtl?r1=1.4&r2=1.4.2.1&view=patch http://source.otrs.org/viewvc.cgi/otrs/Kernel/Modules/AdminCustomerUser.pm?r1=1.55&r2=1.55.2.1&view=patch http://source.otrs.org/viewvc.cgi/otrs/Kernel/Modules/AdminCustomerUserGroup.pm?r1=1.16.2.1&r2=1.16.2.2&view=patch http://source.otrs.org/viewvc.cgi/otrs/Kernel/Output/HTML/Standard/AdminCustomerUserGroupForm.dtl?r1=1.9&r2=1.9.2.1&view=patch
Created otrs tracking bugs for this issue Affects: fedora-all [bug 635847]
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3476 to the following vulnerability: Name: CVE-2010-3476 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3476 Assigned: 20100920 Reference: CONFIRM: http://otrs.org/advisory/OSA-2010-02-en/ Reference: CONFIRM: http://security-tracker.debian.org/tracker/CVE-2010-2080 Reference: BID:43264 Reference: URL: http://www.securityfocus.com/bid/43264 Reference: SECUNIA:41381 Reference: URL: http://secunia.com/advisories/41381 Reference: XF:otrs-regexpression-dos(61869) Reference: URL: http://xforce.iss.net/xforce/xfdb/61869 Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080.
OTRS has been removed from EPEL5, so this flaw no longer affects anything currently shipped.