SECURITY ADVISORY
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- December 20, 2022
- Security Patch Release
- MEDIUM
- OTOBO 10.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-4427
Description
Problem
- SQL Injection: We fixed a vulnerability that allowed attackers to inject SQL code through the “TicketSearch” web service operation.
- JS Injection: We patched a vulnerability that enabled attackers with OTOBO admin rights to inject JS code.
- Admin Interface: A code change prevents users with OTOBO admin rights from exploiting a vulnerability to inject code into ACLs.
Special thanks to Tim Püttmanns (maxence) for bringing these vulnerabilities to our attention.
Potential consequences
- Direct execution of JS code after saving.
Measures for secure operations
Update to OTOBO 10.0.17
A security patch update is available to fix the vulnerability. Please update your system to ensure protection
Bug Fixes
- [Bugfix] Terminal notifications are now sent even when display is enabled for customers
- [Bugfix] CLOB columns are now base64 decoded during migration from Oracle to MariaDB
- Fixed Perl 5.34 shmwrite problem in OTOBO 10.0.x
- [Tidied] Updated JavaScript libraries
- Note: Manual changes to Loader::Agent::CommonJS###000-Framework and Loader::Customer::CommonJS###000-Framework (see below).
- [Bugfix] Adapted S/MIME encryption to newer OpenSSL versions.
- [Bugfix] Fixed a bug in the synchronization of LDAP groups to OTOBO roles
Notes on Changed SysConfig Options in OTOBO 10.0.17
JavaScript
As already done in OTOBO 10.1, the JavaScript libraries have now also been updated in OTOBO 10.0 with this patch. These are set in the SysConfig options “Loader::Agent::CommonJS###000-Framework” and “Loader::Customer::CommonJS###000-Framework”.
If these options were manually adjusted via SysConfig (which we advise against), an automatic update is not possible.
Please note the made adjustments in this case, reset the setting, perform the update, and adjust the option – if necessary – manually again afterwards.
Have a question? We’re here to help. Contact us.
As a support customer, you need assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
