Open Ticket Request System up to 5.0.37/6.0.22/7.0.11 cross site scripting

Summaryinfo

A vulnerability described as problematic has been identified in Open Ticket Request System up to 5.0.37/6.0.22/7.0.11. The impacted element is an unknown function. The manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2019-16375. The attack may be launched remotely. There is no exploit available.

Detailsinfo

A vulnerability classified as problematic has been found in Open Ticket Request System up to 5.0.37/6.0.22/7.0.11 (Ticket Tracking Software). Affected is an unknown code block. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.

The weakness was shared 03/19/2020 (Website). The advisory is shared for download at otrs.com. This vulnerability is traded as CVE-2019-16375 since 09/16/2019. It is possible to launch the attack remotely. The requirement for exploitation is a authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Ticket Tracking Software

Name

• Open Ticket Request System

Version

• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.0.7
• 5.0.8
• 5.0.9
• 5.0.10
• 5.0.11
• 5.0.12
• 5.0.13
• 5.0.14
• 5.0.15
• 5.0.16
• 5.0.17
• 5.0.18
• 5.0.19
• 5.0.20
• 5.0.21
• 5.0.22
• 5.0.23
• 5.0.24
• 5.0.25
• 5.0.26
• 5.0.27
• 5.0.28
• 5.0.29
• 5.0.30
• 5.0.31
• 5.0.32
• 5.0.33
• 5.0.34
• 5.0.35
• 5.0.36
• 5.0.37
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.0.16
• 6.0.17
• 6.0.18
• 6.0.19
• 6.0.20
• 6.0.21
• 6.0.22
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.0.11

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion