CVE-2023-5421: XSS
First published: Mon Oct 16 2023(Updated: )
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Credit: security@otrs.com security@otrs.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=6.0.0<=6.0.34 | |
| Otrs Otrs | >=7.0.0<7.0.47 | |
| Otrs Otrs | >=8.0.0<8.0.37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-5421.
What is the severity rating for this vulnerability?
The severity rating for this vulnerability is medium, with a value of 5.5.
How can an attacker exploit this vulnerability?
An attacker who is logged into OTRS as a user with privileges to create and change customer user data can manipulate the CustomerID field to execute JavaScript code.
Which versions of OTRS are affected by this vulnerability?
Versions 6.0.0 to 6.0.34, 7.0.0 to 7.0.47, and 8.0.0 to 8.0.37 of OTRS are affected by this vulnerability.
Is there a fix or patch available for this vulnerability?
Yes, a fix is available. Please refer to the provided reference link for more information.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-api
- collector/nvd-index
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/6.0.0
- version/otrs otrs/6.0.34
- version/otrs otrs/7.0.0
- version/otrs otrs/8.0.0