Upstream information

CVE-2020-1766 at MITRE

Description

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 2
Vector CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality Impact None
Integrity Impact Low
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1160663 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP1
  • otrs >= 6.0.29-bp151.3.6.2
  • otrs-doc >= 6.0.29-bp151.3.6.2
  • otrs-itsm >= 6.0.29-bp151.3.6.2
Patchnames:
openSUSE-2020-1475
openSUSE-2020-551
SUSE Package Hub 15 SP2
  • otrs >= 6.0.29-bp152.2.8.1
  • otrs-doc >= 6.0.29-bp152.2.8.1
  • otrs-itsm >= 6.0.29-bp152.2.8.1
Patchnames:
openSUSE-2020-1475
openSUSE-2020-1509
SUSE Package Hub 15
  • otrs >= 5.0.42-bp150.2.10.1
  • otrs-doc >= 5.0.42-bp150.2.10.1
  • otrs-itsm >= 5.0.42-bp150.2.10.1
Patchnames:
openSUSE-2020-551
openSUSE Leap 15.1
  • otrs >= 6.0.29-lp151.2.6.2
  • otrs-doc >= 6.0.29-lp151.2.6.2
  • otrs-itsm >= 6.0.29-lp151.2.6.2
Patchnames:
openSUSE-2020-1475
openSUSE-2020-551
openSUSE Leap 15.2
  • otrs >= 6.0.29-lp152.2.3.4
  • otrs-doc >= 6.0.29-lp152.2.3.4
  • otrs-itsm >= 6.0.29-lp152.2.3.4
Patchnames:
openSUSE-2020-1475


SUSE Timeline for this CVE

CVE page created: Fri Jan 10 15:17:50 2020
CVE page last modified: Thu Dec 7 13:27:11 2023