Open Ticket Request System (OTRS) 7.0.6 Cross Site Scripting Vulnerability

Summary

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.

Credit:

The information has been provided by Piotr Domirski
The original article can be found at: https://community.otrs.com/security-advisory-2019-06-security-update-for-otrs-framework/


Details

Otrs  is prone to a cross-site scripting vulnerability.This allows remote attackers to inject arbitrary web script or HTML via vulnerable vectors.A remote attacker can use cross-site scripting(XSS) to send a hostile script to an unsuspicious user

Vulnerable Systems:

  • Otrs 5.0.0
  • Otrs 5.0.1
  • Otrs 5.0.2
  • Otrs 5.0.3
  • Otrs 5.0.4
  • Otrs 5.0.5
  • Otrs 5.0.6
  • Otrs 5.0.7
  • Otrs 5.0.8
  • Otrs 5.0.9
  • Otrs 5.0.10
  • Otrs 5.0.11
  • Otrs 5.0.12
  • Otrs 6.0.0
  • Otrs 6.0.1
  • Otrs 6.0.2
  • Otrs 6.0.3
  • Otrs 6.0.4
  • Otrs 6.0.5
  • Otrs 6.0.6
  • Otrs 6.0.7
  • Otrs 6.0.8
  • Otrs 6.0.9
  • Otrs 6.0.10
  • Otrs 6.0.11
  • Otrs 6.0.12
  • Otrs 6.0.13
  • Otrs 6.0.14
  • Otrs 6.0.15
  • Otrs 6.0.16
  • Otrs 6.0.17
  • Otrs 7.0.0
  • Otrs 7.0.4
  • Otrs 7.0.5
  • Otrs 7.0.6

CVE Information:
CVE-2019-10066

Disclosure Timeline:
Publish Date:05/21/2019

Categories: News