CVE-2019-9752 — Cross-site Scripting in Otrs

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.6%

top 30.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Opensuse Backports SLE Opensuse Leap

Timeline

PublishedMar 13

Latest updateMay 4

Description

An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDotrs/otrs5.0.0 — 5.0.34+2

▶NVDopensuse/leap15.1, 15.2+1

▶NVDopensuse/backports_sle15.0

Patches

Patch: community.otrs.com ↗Patch: community.otrs.com ↗

🔴Vulnerability Details

GHSA

GHSA-246f-fqrw-2v49: An issue was discovered in Open Ticket Request System (OTRS) 5↗2022-05-04

▶

CVEList

CVE-2019-9752: An issue was discovered in Open Ticket Request System (OTRS) 5↗2019-03-13

▶

OSV

CVE-2019-9752: An issue was discovered in Open Ticket Request System (OTRS) 5↗2019-03-13

▶

💥Exploits & PoCs

Exploit-DB

citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection↗2019-09-26

▶

📋Vendor Advisories

Debian

CVE-2019-9752: otrs2 - An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, ...↗2019

▶