ByteOS Network

CVE Vulnerability Details :

CVE-2020-1771

PUBLISHED

More Info Official Page

Assigner-OTRS

Assigner Org ID-2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8

Published At-27 Mar, 2020 | 12:47

Updated At-17 Sep, 2024 | 03:28

▼CVE Numbering Authority (CNA)

Possible XSS in Customer user address book

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

Affected Products

Vendor

OTRS AG

Product

((OTRS)) Community Edition

Versions

Affected

From 6.0.x through 6.0.26 (custom)

Vendor

OTRS AG

Product

OTRS

Versions

Affected

From 7.0.x through 7.0.15 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79 Cross-site Scripting (XSS)

Type: CWE

CWE ID: CWE-79

Description: CWE-79 Cross-site Scripting (XSS)

Metrics

Version	Base score	Base severity	Vector
3.1	4.6	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Version: 3.1

Base score: 4.6

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Solutions

Upgrade to OTRS 7.0.16, ((OTRS)) Community Edition 6.0.27 Patch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/2576830053f70a3a9251558e55f34843dec61aa2

Credits

Christoph Wuetschner

References

Hyperlink	Resource
https://otrs.com/release-notes/otrs-security-advisory-2020-08/	N/A
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html	vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html	vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html	vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html	mailing-list

Hyperlink: https://otrs.com/release-notes/otrs-security-advisory-2020-08/

Resource: N/A

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html

Resource:

vendor-advisory

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html

Resource:

vendor-advisory

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html

Resource:

vendor-advisory

Hyperlink: https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Resource:

mailing-list

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://otrs.com/release-notes/otrs-security-advisory-2020-08/	x_transferred
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html	vendor-advisory x_transferred
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html	vendor-advisory x_transferred
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html	vendor-advisory x_transferred
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html	mailing-list x_transferred

Hyperlink: https://otrs.com/release-notes/otrs-security-advisory-2020-08/

Resource:

x_transferred

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html

Resource:

vendor-advisory

x_transferred

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html

Resource:

vendor-advisory

x_transferred

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html

Resource:

vendor-advisory

x_transferred

Hyperlink: https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Resource:

mailing-list

x_transferred

Affected Products

Affected

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References