SECURITY ADVISORY
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- December 20, 2022
- Security Patch Release
- MEDIUM
- OTOBO 10.1
- https://nvd.nist.gov/vuln/detail/CVE-2022-4427
Description
Problem
- SQL Injection: We fixed a vulnerability that allowed attackers to inject SQL code through the “TicketSearch” web service operation.
- JS Injection: Additionally, we patched a vulnerability that enabled attackers with OTOBO admin rights to inject JS code.
Special thanks to Tim Püttmanns (maxence) for reporting these vulnerabilities.
Potential Consequences
- Injection of SQL / JS Code
Measures for secure operation
Update to OTOBO 10.1.6
A security patch update is available to fix the vulnerability. Please update your system.
Bug Fixes
- [Enhancement] Script to resolve utf8/utf8mb3 issues for solving a specific migration problem
- [Enhancement] Fixed problems with ConfigurationDeploySync in S3 environments
- [Enhancement] Fixed a bug that caused high CPU load due to SystemConfigurationOutOfSyncCheck notification
- [Bugfix] Terminal notifications are now sent even when display is enabled for customers
- [Bugfix] Corrected the ‘Printed by’ information when printing company tickets in the CustomerTicketOverview. Instead of showing the ticket owner, it now displays the person who triggered the print.
- [Bugfix] Adjusted hidden filters in Medium and Preview views in TicketOverview
- [Bugfix] Adjusted formatting options for images in CKEditor. Embedded graphics in signatures can now be correctly formatted.
- [Bugfix] Fixed a rare bug that caused errors in AjaxAttachments display
- [Bugfix] Corrected settings in migration.pl for Package::RepositoryRoot
- [Bugfix] Fixed an error in CustomerFrontend::Navigation###ExternalURLJump###1
- [Enhancement] Created a new Docker file otobo.kerberos.web.docker
- [Bugfix] Fixed a rare bug where sender email addresses were not correctly displayed
- [Bugfix] HTTP Redirect for OTOBO_WEB_HTTPS_PORT fixed
- [Bugfix] Generic Agent now sends SendNoNotification consistently for all subsequent events. Notifications were occasionally not sent when events were triggered by GenericAgents.
- [Bugfix] base64 decoding of CLOB columns during migration from Oracle to MariaDB
- [Bugfix] Fixed a bug in the source DB name check during Oracle migration.
- Fixed Perl 5.34 shmwrite problem in OTOBO 10
We’re happy to answer your questions. Contact us.
You are a support customer and need assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
