Security Advisory 2012-01

August 22, 2012 -- Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Security Advisory Details

Date: Aug 22, 2012
Title: XSS vulnerability in Internet Explorer
Severity: less critical
Affected:
- OTRS Help Desk 2.4.x
- OTRS Help Desk 3.0.x
- OTRS Help Desk 3.1.x
- OTRS ITSM 3.1.x
- OTRS ITSM 3.0.x
- OTRS ITSM 2.1.x
Fixed in:
- OTRS 2.4.13, 3.0.15, 3.1.9 and OTRS ITSM 3.1.6, 3.0.6, 2.1.5
Affected FeatureAddons: OTRSImportantArticles, OTRSCategoriesForTextModules
Common Vulnerabilities and Exposures: CVE-2012-2582

Vulnerability Description

This advisory covers vulnerabilities discovered in the OTRS core system. Due to the XSS vulnerability in Internet Explorer an attacker could send a specially prepared HTML email to OTRS which would cause JavaScript code to be executed in your Internet Explorer while displaying the email.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to and including 3.1.8 in combination with Internet Explorer.

Recommended Resolution

This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9 as well as in in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5. and it is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at: http://www.otrs.com/open-source/community-news/releases-notes/

Updates for the affected FeatureAddons are also available:
OTRSImportantArticles 1.1.2 and OTRSCategoriesForTextModules 1.1.2 for OTRS 3.1.x, OTRSImportantArticles 1.0.2 and OTRSCategoriesForTextModules 1.0.4 for OTRS 3.0.x.