SQL injection on addme_observer and addme_assign
SQL injection for all helpdesk instances.
On an existing ticket :
- save a sql injection in text field (like textarea for description):
description ', name='inject title
- save the ticket.
- click on addme_assign or addme_observer buttons -> Sql injection triggers
Severity not critical, as vulnerability requires technician account.
Fixed in ebca9b1
For more information
If you have any questions or comments about this advisory: