vendor:
OTRS
by:
Adam Ziaja
8.8
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: OTRS
Affected Version From: 3.1.x
Affected Version To: 3.3.x
Patch Exists: YES
Related CWE: CVE-2014-1695
CPE: a:otrs:otrs
Other Scripts:
https://www.infosecmatter.com/nessus-plugin-library/?id=75286, https://www.infosecmatter.com/nessus-plugin-library/?id=72696, https://www.infosecmatter.com/nessus-plugin-library/?id=86654, https://www.infosecmatter.com/nessus-plugin-library/?id=86703, https://www.infosecmatter.com/nessus-plugin-library/?id=82123, https://www.infosecmatter.com/nessus-plugin-library/?id=126292, https://www.infosecmatter.com/nessus-plugin-library/?id=75629, https://www.infosecmatter.com/nessus-plugin-library/?id=75081, https://www.infosecmatter.com/nessus-plugin-library/?id=76683, https://www.infosecmatter.com/nessus-plugin-library/?id=74615
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: None
2014
Stored Cross-Site Scripting (XSS) in OTRS
A stored XSS vulnerability exists in OTRS versions 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5. An attacker can craft a malicious HTML email and send it to an OTRS user. When the user opens the email, the malicious code will be executed in the user's browser, allowing the attacker to gain access to the user's session.
Mitigation:
Upgrade to OTRS version 3.1.20, 3.2.15, or 3.3.5 or later.
