CVE-2020-1771 — Cross-site Scripting in AG Community Edition

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

CNA4.6

EPSS

0.6%

top 29.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Community Edition Otrs AG Otrs Otrs

Timeline

PublishedMar 27

Latest updateMay 24

Description

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.x — 6.0.26

▶NVDotrs/otrs5.0.0 — 5.0.41+2

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.15

🔴Vulnerability Details

GHSA

GHSA-38fp-9j49-g4gm: Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript)↗2022-05-24

▶

OSV

CVE-2020-1771: Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript)↗2020-03-27

▶

CVEList

Possible XSS in Customer user address book↗2020-03-27

▶

📋Vendor Advisories

Debian

CVE-2020-1771: otrs2 - Attacker is able craft an article with a link to the customer address book with ...↗2020

▶