CVE-2022-0473Cross-site Scripting in Otrs

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.8MEDIUMNVD
CNA3.8
EPSS
0.4%
top 41.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OtrsOtrs AG Otrs
Timeline
PublishedFeb 7
Latest updateFeb 8

Description

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

NVDotrs/otrs7.0.07.0.32
CVEListV5otrs_ag/otrs7.0.x7.0.31

🔴Vulnerability Details

2
GHSA
GHSA-j2qj-f5h6-7m56: OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check2022-02-08
CVEList
Dynamic field error message is vulnerable to XSS2022-02-07
CVE-2022-0473 — Cross-site Scripting in Otrs | cvebase