Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-39050

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap

Published

2022-09-05T07:15:08.063

Last Modified

2024-11-21T07:17:27.333

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.6 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	otrs	otrs	≤ 6.0.32	Yes
Application	otrs	otrs	< 7.0.37	Yes
Application	otrs	otrs	< 8.0.25	Yes

References

https://otrs.com/release-notes/otrs-security-advisory-2022-11/ Vendor Advisory ([email protected])
https://otrs.com/release-notes/otrs-security-advisory-2022-11/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)