Bug 433770 (CVE-2012-4600)

Summary:	<www-apps/otrs-3.1.10 : Email Body Script Insertion Vulnerability (CVE-2012-4600)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	patrick, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secunia.com/advisories/50465/
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-09-03 10:37:06 UTC

From secunia at $URL:

Description
A vulnerability has been reported in OTRS Help Desk, which can be exploited by malicious people to conduct script insertion attacks.

Input passed within HTML e-mail messages is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires that the victim user is running Firefox or Opera.

The vulnerability is reported in versions prior to 2.4.14, 3.0.16, and 3.1.10.


Solution
Update to version 2.4.14, 3.0.16, or 3.1.10.

Comment 1 Patrick Lauer gentoo-dev

2012-09-03 10:57:19 UTC

+  03 Sep 2012; Patrick Lauer <patrick@gentoo.org> +otrs-3.1.10.ebuild,
+  -otrs-3.1.8.ebuild, -otrs-3.1.9.ebuild:
+  Bump for #433770

All older versions removed

Comment 2 Agostino Sarubbo gentoo-dev

2012-09-03 11:32:39 UTC

Closed as noglsa

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2012-09-04 09:24:09 UTC

CVE-2012-4600 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4600):
  Cross-site scripting (XSS) vulnerability in Open Ticket Request System
  (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before
  3.1.10, when Firefox or Opera is used, allows remote attackers to inject
  arbitrary web script or HTML via an e-mail message body with nested HTML
  tags.