August 22, 2012 -- Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
- Date: Aug 22, 2012
- Title: XSS vulnerability in Internet Explorer
- Severity: less critical
- OTRS Help Desk 2.4.x
- OTRS Help Desk 3.0.x
- OTRS Help Desk 3.1.x
- OTRS ITSM 3.1.x
- OTRS ITSM 3.0.x
- OTRS ITSM 2.1.x
- Fixed in:
- OTRS 2.4.13, 3.0.15, 3.1.9 and OTRS ITSM 3.1.6, 3.0.6, 2.1.5
- Affected FeatureAddons: OTRSImportantArticles, OTRSCategoriesForTextModules
- Common Vulnerabilities and Exposures: CVE-2012-2582
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to and including 3.1.8 in combination with Internet Explorer.
This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9 as well as in in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5. and it is recommended to upgrade to one of these versions.
Fixed OTRS releases can be found at: http://www.otrs.com/open-source/community-news/releases-notes/
Updates for the affected FeatureAddons are also available:
OTRSImportantArticles 1.1.2 and OTRSCategoriesForTextModules 1.1.2 for OTRS 3.1.x, OTRSImportantArticles 1.0.2 and OTRSCategoriesForTextModules 1.0.4 for OTRS 3.0.x.
As a workaround it is also possible to replace the following files with a fixed version.
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 184.108.40.206
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 220.127.116.11
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 18.104.22.168
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 22.214.171.124
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 126.96.36.199
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 188.8.131.52
OTRS ITSM 2.1.x:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 184.108.40.206
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 220.127.116.11
OTRS ITSM 3.0.x:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 18.104.22.168
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 22.214.171.124
OTRS ITSM 3.1.x:
- Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 1.49
- Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 1.23
They are also available on http://source.otrs.org/viewvc.cgi/otrs/.