Possible XSS stored in customer information
CVE-2022-39050

4.6MEDIUM

Key Information:

Vendor: Otrs Ag
Status: Otrs; ((otrs)) Community Edition
Vendor: CVE Published:; 5 September 2022

What is CVE-2022-39050?

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap

Affected Version(s)

((OTRS)) Community Edition 6.0.1 < 6.0.x*

OTRS 7.0.x <= 7.0.36

OTRS 8.0.x <= 8.0.24

References

https://otrs.com/release-notes/otrs-security-advisory-202...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2022
Vulnerability Reserved
Aug 31, 2022

Credit

Special thanks to Aleksey Solovev for reporting these vulnerability.