CVE-2012-4600
published 2012-08-31CVE-2012-4600: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when…
PriorityP417low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
6.35%
92.8th percentile
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
Affected
48 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | otrs2 | < otrs2 3.1.7+dfsg1-5 (bullseye) | otrs2 3.1.7+dfsg1-5 (bullseye) |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv2.6LOW
vendor_redhat5.9MEDIUM
vendor_debian2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wx2x-284c-86m6: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
ghsa_unreviewed·2022-05-14
CVE-2012-4600 [LOW] CWE-79 GHSA-wx2x-284c-86m6: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
OSV
CVE-2012-4600: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
osv·2012-08-31·CVSS 2.6
CVE-2012-4600 [LOW] CVE-2012-4600: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
Debian
CVE-2012-4600: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He...
vendor_debian·2012·CVSS 2.6
CVE-2012-4600 [LOW] CVE-2012-4600: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He...
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
Scope: local
bullseye: resolved (fixed in 3.1.7+dfsg1-5)
Red Hat
libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
vendor_redhat·2011-12-09·CVSS 5.9
CVE-2011-4600 [MEDIUM] libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query.
Statement: This issue affect Red Hat Enterprise Linux 6 and has been addressed via
https://rhn.redhat.com/errata/RHBA-2012-0013.html. Red Hat Enterprise Linux 5 is
not affected. The Red Hat Security Response Team has rated this issue as having
low security impact. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.
P
No detection rules found.
Exploit-DB
OTRS 3.1 - Persistent Cross-Site Scripting
exploitdb·2012-10-18
CVE-2012-4751 OTRS 3.1 - Persistent Cross-Site Scripting
OTRS 3.1 - Persistent Cross-Site Scripting
---
#!/usr/bin/python
'''
Author: Mike Eduard - Znuny - Enterprise Services for OTRS
Product: OTRS Open Technology Real Services
Version: 3.1.8, 3.1.9 and 3.1.10
Vendor Homepage: http://otrs.org
CVE: 2012-4751
Timeline:
03 Sep 2012: Vulnerability reported + fix to vendor
04 Sep 2012: Vulnerability reported to CERT
05 Sep 2012: Response received from CERT
28 Sep 2012: Update from vendor to have it fixed and released on 16 Oct 2012
16 Oct 2012: Update: vulnerability patched
http://www.kb.cert.org/vuls/id/603276
http://znuny.com/#!/advisory/ZSA-2012-03
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
17 Oct 2012: Public Disclosure
Installed On: Windows Server 2008 R2 & Open SUSE 12.1
Client Test O
Exploit-DB
OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting
exploitdb·2012-08-31
CVE-2012-4751 OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting
OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting
---
#!/usr/bin/python
'''
Author: Mike Eduard - Znuny - Enterprise Services for OTRS
Product: OTRS Open Technology Real Services
Version: 3.1.8 and 3.1.9
Vendor Homepage: http://otrs.org
CVE: 2012-4600
Timeline:
22 Aug 2012: Vulnerability reported to vendor and CERT
23 Aug 2012: Response received from CERT and vendor
28 Aug 2012: Update from vendor to have it fixed and released on 30 Aug 2012
30 Aug 2012: Update: vulnerability patched
http://www.kb.cert.org/vuls/id/511404
http://znuny.com/#!/advisory/ZSA-2012-02
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/
31 Aug 2012: Public Disclosure
Installed On: Windows Server 2008 R2 & Open SUSE 12.1
Client Test OS: Window 7
No writeups or analysis indexed.
http://secunia.com/advisories/50615http://www.kb.cert.org/vuls/id/511404http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2012-02/http://znuny.com/en/#%21/advisory/ZSA-2012-02http://secunia.com/advisories/50615http://www.kb.cert.org/vuls/id/511404http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2012-02/http://znuny.com/en/#%21/advisory/ZSA-2012-02
2012-08-31
Published