-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > CVE-2014-1471 > > Norihiro Tanaka reported missing challenge token checks. An > attacker that managed to take over the session of a logged in > customer could create tickets and/or send follow-ups to existing > tickets due to these missing checks. > > CVE-2014-1694 > > Karsten Nielsen from Vasgard GmbH discovered that an attacker > with a valid customer or agent login could inject SQL code through the > ticket search URL.
you mixed up those two CVEs 1471 is the SQLi 1694 is the CSFR Vuln. - -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer - --- project-mindstorm.net Fruehlingstrasse 4 90537 Feucht Germany Mob.: +49 176 22987602 https://www.ghcif.de http://www.nopaste.info (for sale) https://www.digital-bit.ch http://www.project-mindstorm.net twitter: http://twitter.com/twit4c -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJTCwE9AAoJEELPZ7TxhhmewUoP/i6zF35kPEP6hQxCOuhqOu2H eBBulvXCde3pFdaqujj1rBydVe7/1kfvVz0wtsqFsP8FSvWZI6isxCZfnL7xG8LY B72rwfk0LudqVNwOhMF/79oYXhqQaXhsThc33Oqjne02d098ISro7NM2mOmwndU9 W7ITFBYwwbHBhOHOiVfmXaT4eZYAT68pZFt64rkTrbuT6zTm0qEWHutk3923jMt9 27mwZVwo5JoPWrLV3jaOnJuib7U0T9+2Ou2zSKAeVOkvyO61Ji8fVN40po/qgFgL eoEVIjbAold9FiGfUAsCaE5izv+PSTwKUlcUHexewTzlVCDcVeDuglql3H0XSHFD VtEqgyKcbm6VagSYCGcOTwZHBGFPid2H4/ZARiFAXDkKri0AYpisQUJwmmVYSrP3 07nVnkTSaIMdF2006XwZ9dty8wdXGK09cQE6GiOxqMwk3m8D6+32Idi5ZSsKPoVg bFgbw2thDL1TIr1oGKkwl0naSZje18yVgli4eBa7zGL0mYTIh2gAVRyXmE7mNi37 zBfZdn+CEmtA/tfkp1TiAReEfFext4tloGRjneQfLFvdw/X6dq/S225Z1JQL3yVK ecpVTBLro/kqJfEEkNThwolHqTV5FJAfpB2Bn6EqIplkyiRdbATx3rBCIcCfBr8Y Xa8KqTNJc2OgRG7vkx9I =ZPyz -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/