Headline

CVE-2019-9752: Security Advisory 2019-01: Security Update for OTRS Framework - ((OTRS)) Community Edition

An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.

5 years ago

CVE

Open in Source

#xss #vulnerability #java

Release Notes

OTRS Group, the world’s leading provider of the OTRS service management suite, including the fully managed OTRS solution and the ITIL® V3-compliant IT service management software OTRS::ITSM.

18/01/2019
Security Advisories

January 18, 2018 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Security Advisory Details

ID: OSA-2019-01
Date: 2019-01-18
Title: Stored XSS
Severity: 3.2. low
Product: OTRS 7.0.x, OTRS 6.0.x, OTRS 5.0.x
Fixed in: OTRS 7.0.4, OTRS 6.0.16, OTRS 5.0.34
URL: https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework/?lang=de
FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
References: CVE-2019-9752.

Vulnerability Description

This advisory covers vulnerabilities discovered in the OTRS framework.

Privilege Escalation

An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS.

Affected by this vulnerability are all releases of OTRS 7.0.x up to and including 7.0.3, OTRS 6.0.x up to and including 6.0.15 and OTRS 5.0.x up to and including 5.0.33.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at: