CVE-2023-5421 — Improper Input Validation in AG Otrs

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.5MEDIUMNVD

CNA3.5

EPSS

0.3%

top 48.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Otrs Otrs Otrs AG Community Edition

Timeline

PublishedOct 16

Description

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.x — 6.0.34

▶NVDotrs/otrs7.0.0 — 7.0.47+2

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.47+1

🔴Vulnerability Details

OSV

CVE-2023-5421: An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute↗2023-10-16

▶

CVEList

Possible XSS execution in customer information↗2023-10-16

▶

GHSA

GHSA-hqj4-p6qw-7mf2: An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute↗2023-10-16

▶