CVE-2022-39050: Possible XSS stored in customer information
First published: Mon Sep 05 2022(Updated: )
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
Credit: security@otrs.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=6.0.0<=6.0.32 | |
| Otrs Otrs | >=7.0.0<7.0.37 | |
| Otrs Otrs | >=8.0.0<8.0.25 |
Remedy
Update to OTRS 7.0.37 or OTRS 8.0.25.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2022-39050.
What is the severity of CVE-2022-39050?
The severity of CVE-2022-39050 is medium with a CVSS score of 4.8.
What software is affected by CVE-2022-39050?
This vulnerability affects OTRS versions 6.0.0 to 6.0.32, 7.0.0 to 7.0.37, and 8.0.0 to 8.0.25.
What is the impact of CVE-2022-39050?
An attacker who is logged into OTRS as an admin user can manipulate the customer URL field to store JavaScript code which will be executed when other agents click the customer URL link, allowing unauthorized code execution in the context of OTRS.
How can I fix CVE-2022-39050?
Apply the latest security update provided by OTRS to fix this vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/references
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/6.0.0
- version/otrs otrs/6.0.32
- version/otrs otrs/7.0.0
- version/otrs otrs/8.0.0