Security Advisory 2012-02

August 30, 2012 -- Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

 

Security Advisory Details

  • Date: Aug 30, 2012
  • Title: XSS vulnerability in Firefox and Opera
  • Severity: less critical
  • Affected:
    • OTRS Help Desk 2.4.x
    • OTRS Help Desk 3.0.x
    • OTRS Help Desk 3.1.x
  • Fixed in:
    • OTRS 2.4.14, 3.0.16, 3.1.10
  • Common Vulnerabilities and Exposures: CVE-2012-4600
 
 
 

 

Vulnerability Description

This advisory covers vulnerabilities discovered in the OTRS core system. This is a variance of the XSS vulnerability, where an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your browser while displaying the email in Firefox and Opera. In this case this is achieved with an invalid HTML structure with nested tags.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including 3.1.9 in combination with Firefox and Opera.

 
 
 
 

Recommended Resolution

This vulnerability is fixed in OTRS 2.4.14, 3.0.16 and 3.1.10 and it is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at: http://www.otrs.com/open-source/community-news/releases-notes/

Workaround

As a workaround it is also possible to replace the following files with a fixed version.

OTRS 3.1.x:

  • Kernel/System/HTMLUtils.pm 1.35.2.3

OTRS 3.0.x:

  • Kernel/System/HTMLUtils.pm 1.27.2.5

OTRS 2.4.x:

  • Kernel/Modules/CustomerTicketAttachment.pm 1.17.2.7
  • Kernel/Modules/AgentTicketAttachment.pm 1.22.2.7

  They are also available on http://source.otrs.org/viewvc.cgi/otrs/.

 

Report a Vulnerability

security@otrs.org

PGP Key

pub  2048R/9C227C6B 2011-03-21 [expires at: 2014-03-20]

uid  OTRS Security Team <security@otrs.org>


Fingerprint  E330 4608 DA6E 34B7 1551  C244 7F9E 44E9 9C22 7C6B