Security Advisory 2012-02 – XSS vulnerability
August 30, 2012 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Report a Vulnerability:
Security Advisory Details
- ID: OSA-2012-02
- Date: 2012-08-30
- Title: XSS vulnerability
- Severity: Less critical
- Product: OTRS 2.4.x, 3.0.x, 3.1.x
- Fixed in: OTRS 2.4.14, 3.0.16, 3.1.10
- URL: http://otrs.org/advisory/OSA-2012-02-en/
- CVE: CVE-2012-4600
This Advisory covers vulnerabilities discovered in the OTRS core system.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including 3.1.9.
This vulnerability is fixed in OTRS 2.4.14, 3.0.16 and 3.1.10, and it is recommended to upgrade to one of these versions.
This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9, and it is recommended to upgrade to one of these versions. It is also fixed in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5.
Fixed OTRS releases can be found at: https://community.otrs.com/open-source/community-news/releases-notes/
Here are detailed informations about the required changes:
As a workaround it is also possible to replace the following files with a fixed version.
- Kernel/System/HTMLUtils.pm 188.8.131.52
- Kernel/System/HTMLUtils.pm 184.108.40.206
- Kernel/Modules/CustomerTicketAttachment.pm 220.127.116.11
- Kernel/Modules/AgentTicketAttachment.pm 18.104.22.168
However, to avoid unwanted side effects, we recommend a complete update.
Also available on http://source.otrs.org/.
Thanks to Znuny GmbH for reporting this vulnerability!