CVE-2021-36094 — Cross-site Scripting in AG Community Edition

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA5.7

EPSS

0.3%

top 48.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Community Edition Otrs Otrs AG Otrs

Timeline

PublishedSep 6

Latest updateMay 24

Description

It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.x*

▶NVDotrs/otrs7.0.0 — 7.0.29+1

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.28

🔴Vulnerability Details

GHSA

GHSA-p79w-9c5j-r2gw: It's possible to craft a request for appointment edit screen, which could lead to the XSS attack↗2022-05-24

▶

CVEList

XSS attack in appointment edit popup screen↗2021-09-06

▶

OSV

CVE-2021-36094: It's possible to craft a request for appointment edit screen, which could lead to the XSS attack↗2021-09-06

▶