|Title||XSS attack in Firefox and Opera possible|
|Product||OTRS 3.1.x, OTRS 3.0.x, OTRS 2.4.x|
|Fixed in||OTRS 3.1.10, OTRS 3.0.16, OTRS 2.4.14|
Do you want to get informed about security issues in OTRS? Subscribe here.
An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.9.
This vulnerability is fixed in OTRS (release of OTRS 3.1.10, OTRS 3.0.16 and OTRS 2.4.14 will be published on 30 Aug 2012).
As workaround you need to disable the rich text feature via SysConfig.
As workaround it is also possible to replace the following files with the fixed version:
Please send information regarding vulnerabilities in OTRS to security @ znuny.com.
Your Callback-Request is sent. We call you back soon as possible!