This vulnerability is fixed in OTRS 2.4.15, 3.0.17 and 3.1.11, and it is recommended to upgrade to one of these versions.
Fixed OTRS releases can be found at: https://community.otrs.com/open-source/community-news/releases-notes/
Here are detailed informations about the required changes:
You can also replace the following files with a fixed version.
- Kernel/System/HTMLUtils.pm 126.96.36.199
- Kernel/System/HTMLUtils.pm 188.8.131.52
- Kernel/Modules/CustomerTicketAttachment.pm 184.108.40.206
- Kernel/Modules/AgentTicketAttachment.pm 220.127.116.11
However, to avoid unwanted side effects, we recommend a complete update.
Also available on http://source.otrs.org/.