ad-password arrow-down-ring arrow-left arrow-right auto-select cog customer-id excel-statistics external-link featured github icn-admin icn-developer icn-evaluierung icn-installation icn-keyuser icn-konzeptionierung icn-master icn-performance icn-review last-contact linkedin map-person messages multi-upload no-eye out-of-office password-guidlines pending-time phone plus proxy-support quick-close search service-catalog setting-search shield sugarcrm-integration tag-cloud ticket-create twitter watch-arrow watchlist xing

ZSA-2019-06

Malicious email can cause browser to load external files.

Problem

An attacker who sends a malicious email to OTRS can cause the browser to load external files if the agent quotes the email.

Solution

Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).

Workaround

As a workaround, you can replace the affected files (see below for download). Then, activate SysConfig option Ticket::Frontend::BlockLoadingRemoteContent.
ATTENTION: A lot of OTRS files are affected. Please check if any of these files have been changed in your OTRS installation by additional add-ons. In that case you MUST NOT simply overwrite the files with the ones provided below. Please contact us instead.

Download

References