Security Advisory 2012-01 – XSS vulnerability in Internet Explorer

 

August 21, 2012 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

 

Security Advisory Details

  • ID: OSA-2012-01
  • Date: 2012-08-21
  • Title: XSS vulnerability in Internet Explorer
  • Severity: Less critical
  • Product: OTRS 2.4.x, 3.0.x, 3.1.x, OTRS ITSM 3.1.x, 3.0.x, 2.1.x
  • Fixed in: OTRS 2.4.13, 3.0.15, 3.1.9, OTRS ITSM 3.1.6, 3.0.6, 2.1.5
  • Affected Feature Add-Ons: OTRSImportantArticles, OTRSCategoriesForTextModules
  • URL: http://otrs.org/advisory/OSA-2012-01-en/
  • CVE: CVE-2012-2582

Vulnerability Description

This Advisory covers vulnerabilities discovered in the OTRS core system.

XSS vulnerability in Internet Explorer

  • An attacker could send a specially prepared HTML email to OTRS which will cause JavaScript code to be executed in Internet Explorer when the email is displayed.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to and including 3.1.8 in combination with Internet Explorer.

 

Recommended Resolution

This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9, and it is recommended to upgrade to one of these versions. It is also fixed in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5.

Fixed OTRS releases can be found at: https://community.otrs.com/open-source/community-news/releases-notes/

Here are detailed informations about the required changes:

Workaround

OTRS 2.4.x:

  • Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.62.2.4
  • Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.44.2.4

OTRS 3.0.x:

  • Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.182.2.12
  • Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.106.2.8

OTRS 3.1.x:

  • Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.207.2.4
  • Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.116.2.2

 

OTRS ITSM 2.1.x:

  • Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.12.4.1
  • Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.9.4.1

OTRS ITSM 3.0.x:

  • Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.38.2.1
  • Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.20.2.1

OTRS ITSM 3.1.x:

  • Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.49
  • Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.23

Updates for the affected Feature Add-Ons are also available: OTRSImportantArticles 1.1.2 and OTRSCategoriesForTextModules 1.1.2 for OTRS 3.1.x, OTRSImportantArticles 1.0.2 and OTRSCategoriesForTextModules 1.0.4 for OTRS 3.0.x.

http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log

However, to avoid unwanted side effects, we recommend a complete update.

Also available on http://source.otrs.org/.