CVE-2012-4751
published 2012-10-22CVE-2012-4751: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.79%
92.2th percentile
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | otrs2 | < otrs2 3.1.7+dfsg1-6 (bullseye) | otrs2 3.1.7+dfsg1-6 (bullseye) |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4836-xwrp-jpv6: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
ghsa_unreviewed·2022-05-14
CVE-2012-4751 [MEDIUM] CWE-79 GHSA-4836-xwrp-jpv6: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.
OSV
CVE-2012-4751: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
osv·2012-10-22·CVSS 4.3
CVE-2012-4751 [MEDIUM] CVE-2012-4751: Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.
Debian
CVE-2012-4751: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He...
vendor_debian·2012·CVSS 4.3
CVE-2012-4751 [MEDIUM] CVE-2012-4751: otrs2 - Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) He...
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.
Scope: local
bullseye: resolved (fixed in 3.1.7+dfsg1-6)
No detection rules found.
Exploit-DB
OTRS 3.1 - Persistent Cross-Site Scripting
exploitdb·2012-10-18
CVE-2012-4751 OTRS 3.1 - Persistent Cross-Site Scripting
OTRS 3.1 - Persistent Cross-Site Scripting
---
#!/usr/bin/python
'''
Author: Mike Eduard - Znuny - Enterprise Services for OTRS
Product: OTRS Open Technology Real Services
Version: 3.1.8, 3.1.9 and 3.1.10
Vendor Homepage: http://otrs.org
CVE: 2012-4751
Timeline:
03 Sep 2012: Vulnerability reported + fix to vendor
04 Sep 2012: Vulnerability reported to CERT
05 Sep 2012: Response received from CERT
28 Sep 2012: Update from vendor to have it fixed and released on 16 Oct 2012
16 Oct 2012: Update: vulnerability patched
http://www.kb.cert.org/vuls/id/603276
http://znuny.com/#!/advisory/ZSA-2012-03
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
17 Oct 2012: Public Disclosure
Installed On: Windows Server 2008 R2 & Open SUSE 12.1
Client Test O
Exploit-DB
OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting
exploitdb·2012-08-31
CVE-2012-4751 OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting
OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting
---
#!/usr/bin/python
'''
Author: Mike Eduard - Znuny - Enterprise Services for OTRS
Product: OTRS Open Technology Real Services
Version: 3.1.8 and 3.1.9
Vendor Homepage: http://otrs.org
CVE: 2012-4600
Timeline:
22 Aug 2012: Vulnerability reported to vendor and CERT
23 Aug 2012: Response received from CERT and vendor
28 Aug 2012: Update from vendor to have it fixed and released on 30 Aug 2012
30 Aug 2012: Update: vulnerability patched
http://www.kb.cert.org/vuls/id/511404
http://znuny.com/#!/advisory/ZSA-2012-02
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/
31 Aug 2012: Public Disclosure
Installed On: Windows Server 2008 R2 & Open SUSE 12.1
Client Test OS: Window 7
No writeups or analysis indexed.
http://lists.opensuse.org/opensuse-updates/2013-01/msg00036.htmlhttp://packetstormsecurity.org/files/117504/OTRS-3.1-Cross-Site-Scripting.htmlhttp://www.kb.cert.org/vuls/id/603276http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/http://www.securityfocus.com/bid/56093http://znuny.com/assets/proof_of_concept_cve_2012-4751-znuny.pyhttp://znuny.com/en/#%21/advisory/ZSA-2012-03http://lists.opensuse.org/opensuse-updates/2013-01/msg00036.htmlhttp://packetstormsecurity.org/files/117504/OTRS-3.1-Cross-Site-Scripting.htmlhttp://www.kb.cert.org/vuls/id/603276http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/http://www.securityfocus.com/bid/56093http://znuny.com/assets/proof_of_concept_cve_2012-4751-znuny.pyhttp://znuny.com/en/#%21/advisory/ZSA-2012-03
2012-10-22
Published