Details

IDZSA-2012-03
Date2012-10-16
TitleXSS attack in Firefox and Opera possible
SeverityCritical
ProductOTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x
Fixed inOTRS 3.1.11, OTRS 3.0.17, OTRS 2.4.15
URLhttp://znuny.com/en/ #!/advisory/ZSA-2012-03
CVECVE-2012-4751
VUVU#603276

Do you want to get informed about security issues in OTRS? Subscribe here.

Problem

An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.14, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.10.

Fixes

This vulnerability is fixed in OTRS (release of OTRS 3.1.11, OTRS 3.0.17 and OTRS 2.4.15 will be published on 16 Oct 2012).

Download

Workaround I

As workaround you can disable the rich text feature via sys config.

Workaround II

As workaround it is also possible to replace the following files with the fixed version:

OTRS 3.1.x:

OTRS 3.0.x:

OTRS 2.4.x:

References

Please send information regarding vulnerabilities in OTRS to security @ znuny.com.