January 24, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: security@otrs.org
...
Security Advisory Details
- ID: OSA-2017-01
- Date: 2017-01-24
- Title: XSS Vulnerability in OTRS Business Solution™
- Severity: 3.2 low
- Product: OTRS Business Solution™ 5.0.x (OTRS Business Solution™ 5 and OTRS Business Solution™ 5s)
- Fixed in: OTRS Business Solution™ 5.0.15 (OTRS Business Solution™ 5s)
- FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:L/ UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
- References:
Vulnerability Description
This advisory covers vulnerabilities discovered in the OTRS Business Solution™.
Information Disclosure
- An attacker could use the chat to send a message which could lead to the execution of JavaScript in OTRS context.
Affected by this vulnerability are all releases of OTRS Business Solution™ 5.0.x up to and including 5.0.14.
This vulnerability is fixed in the latest versions of OTRS Business Solution™, and it is recommended to upgrade via the OTRS Business Solution™ management module in the admin area of OTRS.