An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
Metrics
Affected Vendors & Products
References
History
Mon, 16 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Title | Possible XSS stored in customer information | Possible XSS stored in customer information |
MITRE
Status: PUBLISHED
Assigner: OTRS
Published: 2022-09-05T06:40:11.972213Z
Updated: 2024-09-16T19:24:11.199Z
Reserved: 2022-08-31T00:00:00
Link: CVE-2022-39050
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-09-05T07:15:08.063
Modified: 2024-11-21T07:17:27.333
Link: CVE-2022-39050
Redhat
No data.