Security Advisory 2007-01 – Vulnerability in OTRS agent mailbox view allows Cross-Site-Scripting

May 24, 2007 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

Security Advisory Details

  • Date: May 24, 2007
  • Title: Vulnerability in OTRS agent mailbox view allows Cross-Site-Scripting
  • Severity: Less critical
  • Affected:
    OTRS Help Desk OTRS 2.0.x
  • Fixed in:
    OTRS Help Desk OTRS 2.0.5
  • Not affected:
    OTRS Help Desk 2.2.x
    OTRS Help Desk 2.1.x

Vulnerability Description

This Advisory covers one vulnerabilities in the OTRS agent mailbox view. Input fields allows injection of script code Missing HTML quoting allows an agent in the mailbox view (only in a valid session) the injection of HTML tags. This vulnerability allows an attacker to inject script code into the OTRS webinterface which will be loaded and executed in users browsers. Affected by these vulnerabilities are all releases of OTRS 2.0.0 up to and including 2.0.4.

Recommended Resolution

This vulnerability is fixed in OTRS 2.0.5, and it is recommended to upgrade to this version.

Workaround

Next to upgrading to the mentioned fixed releases, a workaround is to replace the following files with a fixed version:

As a workaround you can update from cvs the file Kernel/Modules/AgentTicketMailbox.pm to to version 1.4.2.3 (http://cvs.otrs.org/).

However, to avoid unwanted side effects, we recommend a complete update.