Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-2637 — Cross-site Scripting in FAQ

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

1.4%

top 19.29%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Otrs FAQ Otrs Itsm Opensuse

Timeline

PublishedFeb 12

Latest updateMay 5

Description

A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDotrs/otrs_itsm3.1.0 — 3.1.8+2

▶NVDotrs/faq2.1.0 — 2.1.4+1

▶NVDopensuse/opensuse12.2, 12.3+1

🔴Vulnerability Details

GHSA

GHSA-6cx5-8j63-3v47: A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3↗2022-05-05

▶

CVEList

CVE-2013-2637: A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3↗2020-02-12

▶

💥Exploits & PoCs

Exploit-DB

OTRS 3.x - FAQ Module Persistent Cross-Site Scripting↗2013-04-08

▶