OTRSCVELIST:CVE-2020-1771CVE-2020-1771 Possible XSS in Customer user address book
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
40.4%
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CNA Affected
[
{
"vendor": "OTRS AG",
"product": "((OTRS)) Community Edition",
"versions": [
{
"version": "6.0.x",
"status": "affected",
"lessThanOrEqual": "6.0.26",
"versionType": "custom"
}
]
},
{
"vendor": "OTRS AG",
"product": "OTRS",
"versions": [
{
"version": "7.0.x",
"status": "affected",
"lessThanOrEqual": "7.0.15",
"versionType": "custom"
}
]
}
]References
lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
lists.debian.org/debian-lts-announce/2023/08/msg00040.html
otrs.com/release-notes/otrs-security-advisory-2020-08/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
40.4%