Security Advisory 2012-01 – XSS vulnerability in Internet Explorer
August 21, 2012 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Report a Vulnerability:
Security Advisory Details
- ID: OSA-2012-01
- Date: 2012-08-21
- Title: XSS vulnerability in Internet Explorer
- Severity: Less critical
- Product: OTRS 2.4.x, 3.0.x, 3.1.x, OTRS ITSM 3.1.x, 3.0.x, 2.1.x
- Fixed in: OTRS 2.4.13, 3.0.15, 3.1.9, OTRS ITSM 3.1.6, 3.0.6, 2.1.5
- Affected Feature Add-Ons: OTRSImportantArticles, OTRSCategoriesForTextModules
- URL: http://otrs.org/advisory/OSA-2012-01-en/
- CVE: CVE-2012-2582
This Advisory covers vulnerabilities discovered in the OTRS core system.
XSS vulnerability in Internet Explorer
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to and including 3.1.8 in combination with Internet Explorer.
This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9, and it is recommended to upgrade to one of these versions. It is also fixed in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5.
Fixed OTRS releases can be found at: https://community.otrs.com/open-source/community-news/releases-notes/
Here are detailed informations about the required changes:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 22.214.171.124
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 126.96.36.199
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 188.8.131.52
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 184.108.40.206
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 220.127.116.11
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 18.104.22.168
OTRS ITSM 2.1.x:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 22.214.171.124
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 126.96.36.199
OTRS ITSM 3.0.x:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 188.8.131.52
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 184.108.40.206
OTRS ITSM 3.1.x:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.49
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.23
Updates for the affected Feature Add-Ons are also available: OTRSImportantArticles 1.1.2 and OTRSCategoriesForTextModules 1.1.2 for OTRS 3.1.x, OTRSImportantArticles 1.0.2 and OTRSCategoriesForTextModules 1.0.4 for OTRS 3.0.x.
However, to avoid unwanted side effects, we recommend a complete update.
Also available on http://source.otrs.org/.