An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2023-10-16T08:10:55.114Z

Updated: 2024-09-16T16:55:01.099Z

Reserved: 2023-10-05T08:12:09.849Z

Link: CVE-2023-5421

cve-icon Vulnrichment

Updated: 2024-08-02T07:59:44.593Z

cve-icon NVD

Status : Modified

Published: 2023-10-16T09:15:11.940

Modified: 2024-11-21T08:41:44.230

Link: CVE-2023-5421

cve-icon Redhat

No data.