Title: AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails
Severity: Less critical
Product: OTRS 2.4.x
Fixed in: OTRS 2.4.9
AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails
Whenever a customer sends an HTML e-mail and RichText is enabled in OTRS,
interface that the agent himself could do.
Most relevant is that this type of exploit can be used in such a way that
the agent won't even detect he is being exploited.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and
This vulnerability is fixed in OTRS 2.4.9.
More Cross Site Scripting vulnerabilities have been disclosed in:
A more up-to-date fixed-in list is:
Fixed in: OTRS 2.4.10, 3.0.7
Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS 2.4.x
before 2.4.9, when RichText is enabled, allows remote attackers to inject
Fixed software added and vulnerable versions removed by Patrick Lauer via bug 379855. Closing noglsa for ~arch package.