ZSA-2019-01

Privilege escalation in picture upload

Problem

An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS.

Workaround

As a workaround, you can replace the affected files.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Download

Security patch for OTRS 5
Security patch for OTRS 6

References

Vendor advisory
CVE-2019-9752

ZSA	ZSA-2019-01
Date	01/18/19
Title	Privilege escalation in picture upload
Severity	Low
Product	OTRS Help Desk 5.0.x up to and including 5.0.33 as well as 6.0.x up to and including 6.0.15
Fixed in	OTRS Help Desk 5.0.34, 6.0.1
URL	Directlink
CVE	CVE-2019-9752