An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs
immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.
This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: OTRS
Published: 2023-10-16T08:10:55.114Z
Updated: 2024-09-16T16:55:01.099Z
Reserved: 2023-10-05T08:12:09.849Z
Link: CVE-2023-5421
Vulnrichment
Updated: 2024-08-02T07:59:44.593Z
NVD
Status : Modified
Published: 2023-10-16T09:15:11.940
Modified: 2024-11-21T08:41:44.230
Link: CVE-2023-5421
Redhat
No data.