Lucene search

OTRSCVELIST:CVE-2021-21434

HistoryFeb 08, 2021 - 10:55 a.m.

CVE-2021-21434 XSS in Survey Module

2021-02-0810:55:19

CWE-79

OTRS

www.cve.org

cve-2021-21434

xss

survey module

otrs ag

security vulnerability

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions.

CNA Affected

[
  {
    "product": "Survey",
    "vendor": "OTRS AG",
    "versions": [
      {
        "lessThanOrEqual": "6.0.20",
        "status": "affected",
        "version": "6.0.x",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "7.0.19",
        "status": "affected",
        "version": "7.0.x",
        "versionType": "custom"
      }
    ]
  }
]

References

otrs.com/release-notes/otrs-security-advisory-2021-01/