Release Note

OTRS Security Advisory 2024-10

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

  • pub 2048R/9C227C6B 2011-03-21
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

  • ID: OSA-2024-10
  • Date: 2024-08-26
  • Title: Stored XSS in System Configuration
  • Severity CVSS v3.1: 4.9 MEDIUM
  • Severity CVSS v4.0: 4.8 MEDIUM
  • Urgency: Moderate
  • Product: OTRS, ((OTRS)) Community Edition
  • Fixed in: OTRS 2024.6.1 and OTRS 7.0.51
  • CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N * CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/R:U/RE:M/U:Amber
  • References: CVE-2024-43442

Stored XSS in System Configuration

Improper Neutralization of Input done by an attacker with admin privileges (‘Cross-site Scripting’) in OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins.

PRODUCT AFFECTED:

This issue affects

OTRS:

  • from 7.0.X through 7.0.50
  • 8.0.X
  • 2023.X
  • from 2024.X through 2024.5.X

((OTRS)) Community Edition:

  • 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected.

Problem:

CWE-790 Improper Filtering of Special Elements CWE-790

Impact:

CAPEC-63 Cross-Site Scripting (XSS) CAPEC-63

Product Status

Product Affected
OTRS AG OTRS » System Configuration

Default status is unaffected

from 7.0.x through 7.0.50
8.0.x
2023.x
from 2024.x through 2024.5.x
OTRS AG ((OTRS)) Community Edition » System Configuration

Default status is affected

6.0.x

SOLUTION:

Update to OTRS 2024.6.x or OTRS 7.0.51

CREDITS:

Special thanks to Marek Holka for reporting these vulnerability.

 

Release Details

  • Release:
    OTRS Security Advisory 2024-10
  • Release date:
    08/26/2024