Upstream information
Description
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.
| National Vulnerability Database | |
|---|---|
| Base Score | 3.5 |
| Vector | AV:N/AC:M/Au:S/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | Single |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
| National Vulnerability Database | |
|---|---|
| Base Score | 5.4 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
- openSUSE-SU-2020:0551-1, published Sat, 25 Apr 2020 21:13:38 +0200 (CEST)
- openSUSE-SU-2020:1475-1, published Sun, 20 Sep 2020 06:21:38 +0200 (CEST)
- openSUSE-SU-2020:1509-1, published Wed, 23 Sep 2020 15:20:26 +0200 (CEST)
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Package Hub 15 SP1 |
| Patchnames: openSUSE-2020-1475 openSUSE-2020-551 |
| SUSE Package Hub 15 SP2 |
| Patchnames: openSUSE-2020-1475 openSUSE-2020-1509 |
| SUSE Package Hub 15 |
| Patchnames: openSUSE-2020-551 |
| openSUSE Leap 15.1 |
| Patchnames: openSUSE-2020-1475 openSUSE-2020-551 |
| openSUSE Leap 15.2 |
| Patchnames: openSUSE-2020-1475 |
Run SAP
SUSE for Public Cloud
