Vulnerability CVE-2019-9752
Published: 2019-03-13   Modified: 2019-03-14

Description:
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
OTRS -> OTRS 

 References:
https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework
https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html
Copyright 2024, cxsecurity.com

 

Back to Top