CVE-2019-9751
Published: 13 March 2019
An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
otrs2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Not vulnerable
(6.0.16-2)
|
|
| trusty |
Does not exist
(trusty was needs-triage)
|
|
| upstream |
Released
(6.0.17-1)
|
|
| xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |