#VU51858 Cross-site scripting in OTRS - CVE-2019-10067
Published: May 22, 2019 / Updated: April 1, 2021
Vulnerability identifier: #VU51858
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10067
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OTRS
OTRS
Software vendor:
otrs.org
otrs.org
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://community.otrs.com/security-advisory-2019-05-security-update-for-otrs-framework/