#VU51864 Cross-site scripting in OTRS - CVE-2020-1766
Published: January 10, 2020 / Updated: April 1, 2021
Vulnerability identifier: #VU51864
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-1766
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OTRS
OTRS
Software vendor:
otrs.org
otrs.org
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html
- https://otrs.com/release-notes/otrs-security-advisory-2020-02/