Vigil@nce - OTRS Help Desk: Cross Site Scripting via an email
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an email to OTRS Help Desk, in order to
generate a Cross Site Scripting in the web browser of the victim
who reads the message.
Impacted products: OTRS Help Desk
Severity: 2/4
Creation date: 16/10/2012
DESCRIPTION OF THE VULNERABILITY
The OTRS Help Desk service processes users’ tickets, which can be
opened by email.
When the user sends an email in HTML format, the
Kernel/System/HTMLUtils.pm module is called to filter its content.
However, this filtering is incorrect when an attribute
"background", "url", "src" or "href" mixes simple and double
quotes (such as