An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
References
Link | Resource |
---|---|
https://otrs.com/release-notes/otrs-security-advisory-2022-11/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2022-09-05 00:15
Updated : 2022-09-08 13:45
NVD link : CVE-2022-39050
Mitre link : CVE-2022-39050
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
otrs
- otrs