CVE-2016-5843
CRITICALFAQ package <2.3.6, <4.0.5, <5.0.5 - SQL Injection
Title source: llmDescription
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://www.otrs.com/security-advisory-2016-01-security-update-otrs-faq-package/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/93019
Issue Tracking, Patch x_refsource_confirm
https://github.com/OTRS/FAQ/commit/b805703e7b7725d1f3040bb626a4c4dd845ee9e3
Issue Tracking, Patch x_refsource_confirm
https://github.com/OTRS/FAQ/commit/8c9d63bd0297adda760330805c31afc130861557
Issue Tracking, Patch x_refsource_confirm
https://github.com/OTRS/FAQ/commit/3700f75c67f6ed1d39bc213445c6d12a458e1af9
Scores
CVSS v3
9.4
EPSS
0.0321
EPSS Percentile
86.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Details
CWE
CWE-89
Status
published
Products (30)
otrs/faq
2.0.1
otrs/faq
2.0.2
otrs/faq
2.0.3
otrs/faq
2.0.4
otrs/faq
2.0.5
otrs/faq
2.0.6
otrs/faq
2.0.7
otrs/faq
2.0.8
otrs/faq
2.1.0
otrs/faq
2.1.1
... and 20 more
Published
Sep 17, 2016
Tracked Since
Feb 18, 2026