Code Injection in OTRS - CVE-2019-9752
Published: March 13, 2019 / Updated: April 1, 2021
Vulnerability identifier: #VU51862
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-9752
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: otrs.org
Affected software:
OTRS
OTRS
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary code.
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.
How to mitigate CVE-2019-9752
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework
- https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html