ZSA-2019-01
Privilege escalation in picture upload
Problem
An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS.
Workaround
As a workaround, you can replace the affected files.
Solution
Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).