Security Advisory 2011-01 – Several XSS attacks possible
April 04, 2011 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Report a Vulnerability:
Security Advisory Details
- Date: Apr 04, 2011
- Title: Several XSS attacks possible
- Severity: Less Critical
– OTRS Help Desk 2.4.x, 3.0.x
- Fixed in:
– OTRS Help Desk 2.4.10, 3.0.7
- URL: http://otrs.org/advisory/OSA-2011-01-en/
- CVE: CVE-2011-1518
This Advisory covers vulnerabilities discovered in the OTRS core system.
Several XSS attacks possible
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.9, as well as all 3.0.x versions up to and including 3.0.6. This vulnerability is fixed in OTRS 2.4.10 and OTRS 3.0.7, and it is recommended to upgrade to one of these versions.
Fixed OTRS releases can be found at: https://community.otrs.com/category/release-notes-help-desk-2/
Here are detailed informations about the required changes:
As a workaround it is also possible to replace the following files with a fixed version.
- Kernel/Output/HTML/Standard/Warning.dtl 18.104.22.168
- Kernel/Output/HTML/Standard/Error.dtl 22.214.171.124
- Kernel/Output/HTML/Standard/CustomerError.dtl 126.96.36.199
- Kernel/Output/HTML/Lite/Warning.dtl 188.8.131.52
- Kernel/Output/HTML/Layout.pm 184.108.40.206
- Kernel/Output/HTML/Standard/CustomerError.dtl 220.127.116.11
- Kernel/Output/HTML/Standard/CustomerFooter.dtl 18.104.22.168
- Kernel/Output/HTML/Standard/CustomerWarning.dtl 22.214.171.124
- Kernel/Output/HTML/Standard/CustomerTicketSearchResultShort.dtl 126.96.36.199
- Kernel/Output/HTML/Standard/FooterJS.dtl 188.8.131.52
- Kernel/Output/HTML/Standard/Error.dtl 184.108.40.206
- Kernel/Output/HTML/Standard/Warning.dtl 220.127.116.11
- Kernel/Output/HTML/Layout.pm 1.351.2.5
However, to avoid unwanted side effects, we recommend a complete update.
Also available on http://source.otrs.org/.
Please send information regarding vulnerabilities in OTRS to email@example.com.
Many thanks to Szymon Sobczyk for discovering and reporting this vulnerabilitiy.