Customer Support
fill 7
fill 7
OTRS - Home

Release Note

OTRS Security Advisory 2024-04

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

  • pub 2048R/9C227C6B 2011-03-21
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

  • ID: OSA-2024-04
  • Date: 2024-01-29
  • Title: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor
  • Severity: 6.1 MEDIUM
  • Product: OTRS 7.0.x, OTRS, ((OTRS)) Community Edition
  • Fixed in: OTRS 7.0.49, OTRS 2024.1.1, OTRSAdvancedEditor 7.0.33, OTRSAdvancedEditor 2024.1.1
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • References: CVE-2021-33829

OSA-2024-04 A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because –!> is mishandled.

PRODUCT AFFECTED:

This issue affects

OTRS from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1;

OTRSAdvancedEditor: from 6.0.X through 6.0.30, from 7.0.X through 7.0.32, from 8.0.X through 8.0.15, from 2023.X through 2023.1.1.

((OTRS)) Community Edition: from 6.0.1 through 6.0.34

PROBLEM:

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

Impact:

XSS Attack

Product Status

Product Affected
OTRS AG OTRS » Agent Frontend, External Frontend

Default status is unaffected

 from 7.0.x through 7.0.48

from 8.0.x through 8.0.37

from 2023.x through 2023.1.1
OTRS AG ((OTRS)) Community Edition

Default status is affected

 from 6.0.1 through 6.0.34
OTRS AG OTRSAdvancedEditor

Default status is unaffected

 from 6.0.x through 6.0.30

from 7.0.x through 7.0.32

from 8.0.x through 8.0.15

from 2023.x through 2023.1.1

SOLUTION:

Update to OTRS Patch 2024.1.1
Update to OTRS 7.0.49 (Long Term Support Users)
Update to OTRSAdvancedEditor 7.033
Update to OTRSAdvancedEditor 2024.1.1

MODIFICATION HISTORY:

CVSS SCORE:

  • OTRSAdvancedEditor 2024.1.1

RISK LEVEL:

MEDIUM

ACKNOWLEDGEMENTS:

Special thanks to Matthias Püschel for reporting this vulnerability.

Release Details

  • Release name:
    OTRS Security Advisory 2024-04
  • Release date:
    01/29/2024
  • Release type:
    security advisories