ad-password arrow-down-ring arrow-left arrow-right auto-select cog customer-id excel-statistics external-link featured github icn-admin icn-developer icn-evaluierung icn-installation icn-keyuser icn-konzeptionierung icn-master icn-performance icn-review last-contact linkedin map-person messages multi-upload no-eye out-of-office password-guidlines pending-time phone plus proxy-support quick-close search service-catalog setting-search shield sugarcrm-integration tag-cloud ticket-create twitter watch-arrow watchlist xing wechat qq weibo

ZSA-2012-02

XSS attack in Firefox and Opera possible

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.9.

Workaround

As workaround you need to disable the rich text feature via SysConfig.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Download

  • Security patch for OTRS 5
  • Security patch for OTRS 4

References