A critical SQL injection vulnerability in OTRS allows unauthenticated attackers to bypass authentication and execute arbitrary database commands.

The vulnerability exists in the database layer module of OTRS and (OTRS) Community Edition, which fails to properly sanitize input. This allows an unauthenticated attacker to inject malicious SQL queries, provided the underlying MySQL or MariaDB instance is configured with the NO_BACKSLASH_ESCAPES SQL mode.

The ability to perform unauthenticated SQL injection poses a severe risk to organizational data integrity and confidentiality. With a CVSS score of 9.1, this vulnerability permits attackers to bypass authentication mechanisms, potentially leading to full unauthorized access to the application, sensitive customer information, and administrative credentials.

Immediate Action: Upgrade to the latest version of OTRS or (OTRS) Community Edition as specified by the vendor to receive the necessary security patches.

Proactive Monitoring: Inspect database access logs for unusual query patterns, specifically looking for SQL syntax errors or unexpected administrative account activity.

Compensating Controls: If patching is delayed, ensure that the MySQL/MariaDB server configuration is modified to disable the NO_BACKSLASH_ESCAPES mode if it is not strictly required for business operations.

Public Exploit Available: false

Given the critical nature of this SQL injection vulnerability and the potential for complete system compromise, immediate remediation is required. Organizations should prioritize updating their OTRS instances and auditing database configurations to ensure they are not operating in a vulnerable state.