Main Vulnerability Database SB2019052232

SB2019052232 - Cross-site scripting in OTRS

Published: May 22, 2019 Updated: April 1, 2021

Security Bulletin ID SB2019052232

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2019-10066)

The vulnerability allows a remote authenticated user to read and manipulate data.

An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.

Remediation

Install update from vendor's website.

References

https://community.otrs.com/security-advisory-2019-06-security-update-for-otrs-framework/