CVE-2022-39050 — Cross-site Scripting in AG Community Edition

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

CNA4.6

EPSS

0.6%

top 30.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Community Edition Otrs Otrs AG Otrs

Timeline

PublishedSep 5

Latest updateSep 6

Description

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶NVDotrs/otrs7.0.0 — 7.0.37+2

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.x*

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.36+1

🔴Vulnerability Details

GHSA

GHSA-x46q-hjvj-45vc: An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent whe↗2022-09-06

▶

CVEList

Possible XSS stored in customer information↗2022-09-05

▶

OSV

CVE-2022-39050: An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent whe↗2022-09-05

▶