Vigil@nce - OTRS: Cross Site Scripting
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate several Cross Site Scripting in OTRS, in
order to execute JavaScript code in the web browser of visitors.
Severity: 2/4
Creation date: 12/04/2011
IMPACTED PRODUCTS
– OTRS
DESCRIPTION OF THE VULNERABILITY
The OPRS service is used to manage incident tickets via a web site.
However, several OTRS pages do not correctly filter their
parameters before displaying them:
- Kernel/Output/HTML/Layout.pm
- Kernel/Output/HTML/Lite/Warning.dtl
- Kernel/Output/HTML/Standard/CustomerError.dtl
- Kernel/Output/HTML/Standard/CustomerFooter.dtl
- Kernel/Output/HTML/Standard/CustomerTicketSearchResultShort.dtl
- Kernel/Output/HTML/Standard/CustomerWarning.dtl
- Kernel/Output/HTML/Standard/Error.dtl
- Kernel/Output/HTML/Standard/FooterJS.dtl
- Kernel/Output/HTML/Standard/Warning.dtl
An attacker can therefore generate several Cross Site Scripting in
OTRS, in order to execute JavaScript code in the web browser of
visitors.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OTRS-Cross-Site-Scripting-10544