CVE-2023-38057 — Improper Input Validation in AG Otrs

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.1

EPSS

0.4%

top 41.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Otrs Survey Otrs AG Community Edition

Timeline

PublishedJul 24

Description

An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDotrs/survey7.0.0 — 7.0.32+2

▶CVEListV5otrs_ag/community_edition6.0.x — 6.0.22

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.32+1

🔴Vulnerability Details

CVEList

XSS stored in survey answers↗2023-07-24

▶

OSV

CVE-2023-38057: An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject j↗2023-07-24

▶

GHSA

GHSA-48q8-4r5f-p5pf: An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject j↗2023-07-24

▶