CVE-2019-16375 in Open Ticket Request System
Summary
by MITRE
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
This vulnerability exists within the Open Ticket Request System OTRS platform, specifically affecting versions 7.0.x through 7.0.11 and Community Edition versions 5.0.x through 5.0.37 and 6.0.x through 6.0.22. The issue represents a classic cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript code into system articles. The flaw occurs when a user with appropriate permissions creates an article containing crafted malicious code, which then executes when another agent responds to that original article. This represents a significant security risk as it enables attackers to exploit the trust relationship between legitimate users and the system.
The technical implementation of this vulnerability stems from inadequate input sanitization and output encoding within the article handling components of OTRS. When users create articles, the system fails to properly validate or escape potentially malicious content before storing it in the database. This allows JavaScript code to be stored in the article body without proper sanitization. The vulnerability is particularly dangerous because it leverages the trust model of the system where legitimate users with appropriate permissions can execute code that affects other users. The attack requires only that an attacker be logged in as either an agent or customer user with sufficient privileges, making it accessible to anyone with legitimate access to the system.
The operational impact of this vulnerability extends beyond simple code execution as it can lead to comprehensive system compromise. An attacker could potentially steal session cookies, redirect users to malicious sites, or execute arbitrary commands on the victim's browser. The vulnerability enables persistent attacks where malicious code remains embedded in the system and executes each time the affected article is viewed or responded to. This creates a vector for credential theft, data exfiltration, and potential lateral movement within the organization's network. The attack chain follows the typical pattern of a stored cross-site scripting vulnerability where the attacker's payload is delivered through a legitimate system interaction rather than direct user input.
This vulnerability aligns with CWE-79 which identifies cross-site scripting as a critical weakness in web applications, and it maps to the ATT&CK technique T1059.007 for JavaScript execution. Organizations should immediately implement proper input validation and output encoding mechanisms to prevent malicious code from being stored or executed. The recommended mitigation includes upgrading to patched versions of OTRS, implementing strict content sanitization, and establishing robust access controls to limit the scope of users who can create articles. Additionally, organizations should consider implementing web application firewalls and regular security scanning to detect and prevent similar vulnerabilities. The incident highlights the importance of proper security testing and input validation in web applications to prevent attackers from exploiting trust relationships within legitimate user interactions.