CVE-2020-1766
published 2020-01-10CVE-2020-1766: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.27%
66.2th percentile
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | otrs2 | < otrs2 6.0.25-1 (bullseye) | otrs2 6.0.25-1 (bullseye) |
| otrs | otrs | 5.0.0 – 5.0.39 | — |
| otrs | otrs | 6.0.0 – 6.0.24 | — |
| otrs | otrs | 7.0.0 – 7.0.13 | — |
| otrs_ag | community_edition | — | — |
| otrs_ag | community_edition | — | — |
| otrs_ag | otrs | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_redhat3.3LOW
vendor_debian2.0LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m842-x755-qmxc: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javas
ghsa_unreviewed·2022-05-24
CVE-2020-1766 [MEDIUM] CWE-79 GHSA-m842-x755-qmxc: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javas
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
OSV
CVE-2020-1766: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javas
osv·2020-01-10·CVSS 6.1
CVE-2020-1766 [MEDIUM] CVE-2020-1766: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javas
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
Red Hat
libsolv: Heap overflow
vendor_redhat·2022-02-21·CVSS 3.3
CVE-2021-44573 [LOW] CWE-787 libsolv: Heap overflow
libsolv: Heap overflow
[REJECTED CVE] Two heap overflow vulnerabilities exist in oenSUSE libsolv through 13 Dec 2020 in the resolve_installed function at src/solver.c: line 1728 & 1766.
Statement: This flaw was found to be a duplicate of CVE-2021-3200. Please see https://access.redhat.com/security/cve/CVE-2021-3200 for information about affected products and security errata.
Package: libsolv (Red Hat Enterprise Linux 7) - Not affected
Package: libsolv (Red Hat Enterprise Linux 8) - Not affected
Package: libsolv (Red Hat Enterprise Linux 9) - Not affected
Package: libsolv (Red Hat Satellite 6) - Not affected
Package: libsolv (Red Hat Update Infrastructure 3 for Cloud Providers) - Will not fix
Debian
CVE-2020-1766: otrs2 - Due to improper handling of uploaded images it is possible in very unlikely and ...
vendor_debian·2020·CVSS 2.0
CVE-2020-1766 [LOW] CVE-2020-1766: otrs2 - Due to improper handling of uploaded images it is possible in very unlikely and ...
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.25-1)
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlhttps://lists.debian.org/debian-lts-announce/2020/01/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlhttps://otrs.com/release-notes/otrs-security-advisory-2020-02/http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlhttps://lists.debian.org/debian-lts-announce/2020/01/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlhttps://otrs.com/release-notes/otrs-security-advisory-2020-02/
2020-01-10
Published