CVE-2020-1766: Improper handling of uploaded inline images
First published: Fri Jan 10 2020(Updated: )
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
Credit: security@otrs.com security@otrs.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=5.0.0<=5.0.39 | |
| Otrs Otrs | >=6.0.0<=6.0.24 | |
| Otrs Otrs | >=7.0.0<=7.0.13 | |
| Debian Debian Linux | =8.0 |
Remedy
Upgrade to OTRS 7.0.14, ((OTRS)) Community Edition 6.0.25, ((OTRS)) Community Edition 5.0.40
Remedy
Patch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/128078b0bb30f601ed97d4a13906644264ee6013 Patch for ((OTRS)) Community Edition 5: https://github.com/OTRS/otrs/commit/b7d80f9000fc9a435743d8d1d7d44d9a17483a9a
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00027.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://otrs.com/release-notes/otrs-security-advisory-2020-02/
Frequently Asked Questions
What is CVE-2020-1766?
CVE-2020-1766 is a vulnerability that allows the execution of malicious JavaScript from a specially crafted SVG file in ((OTRS)) Community Edition.
Which versions of ((OTRS)) Community Edition are affected by CVE-2020-1766?
((OTRS)) Community Edition versions 5.0.0 through 5.0.39, 6.0.0 through 6.0.24, and 7.0.0 through 7.0.13 are affected by CVE-2020-1766.
What is the severity of CVE-2020-1766?
CVE-2020-1766 has a severity rating of 6.1, which is considered medium.
How can I fix CVE-2020-1766?
To fix CVE-2020-1766, upgrade to the latest version of ((OTRS)) Community Edition.
Where can I find more information about CVE-2020-1766?
You can find more information about CVE-2020-1766 in the following references: [Reference 1](http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html), [Reference 2](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html), [Reference 3](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html).
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/references
- agent/author
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/severity
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/5.0.0
- version/otrs otrs/5.0.39
- version/otrs otrs/6.0.0
- version/otrs otrs/6.0.24
- version/otrs otrs/7.0.0
- version/otrs otrs/7.0.13
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0