Security Advisory 2012-02 – XSS vulnerability

 

August 30, 2012 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

 

Security Advisory Details

  • ID: OSA-2012-02
  • Date: 2012-08-30
  • Title: XSS vulnerability
  • Severity: Less critical
  • Product: OTRS 2.4.x, 3.0.x, 3.1.x
  • Fixed in: OTRS 2.4.14, 3.0.16, 3.1.10
  • URL: http://otrs.org/advisory/OSA-2012-02-en/
  • CVE: CVE-2012-4600

Vulnerability Description

This Advisory covers vulnerabilities discovered in the OTRS core system.

XSS vulnerability

  • An attacker could send a specially prepared HTML email to OTRS which will cause JavaScript code to be executed when the email is displayed. This is achieved with an invalid HTML structure with nested tags.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including 3.1.9.

This vulnerability is fixed in OTRS 2.4.14, 3.0.16 and 3.1.10, and it is recommended to upgrade to one of these versions.

 

Recommended Resolution

This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9, and it is recommended to upgrade to one of these versions. It is also fixed in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5.

Fixed OTRS releases can be found at: https://community.otrs.com/open-source/community-news/releases-notes/

Here are detailed informations about the required changes:

Workaround

As a workaround it is also possible to replace the following files with a fixed version.

OTRS 3.1.x:

  • Kernel/System/HTMLUtils.pm 1.35.2.3

OTRS 3.0.x:

  • Kernel/System/HTMLUtils.pm 1.27.2.5

OTRS 2.4.x:

  • Kernel/Modules/CustomerTicketAttachment.pm 1.17.2.7
  • Kernel/Modules/AgentTicketAttachment.pm 1.22.2.7

http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log

However, to avoid unwanted side effects, we recommend a complete update.

Also available on http://source.otrs.org/.

Thanks to Znuny GmbH for reporting this vulnerability!