Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 433770 (CVE-2012-4600) - <www-apps/otrs-3.1.10 : Email Body Script Insertion Vulnerability (CVE-2012-4600)
Summary: <www-apps/otrs-3.1.10 : Email Body Script Insertion Vulnerability (CVE-2012-4...
Alias: CVE-2012-4600
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2012-09-03 10:37 UTC by Agostino Sarubbo
Modified: 2012-09-04 09:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-03 10:37:06 UTC
From secunia at $URL:

A vulnerability has been reported in OTRS Help Desk, which can be exploited by malicious people to conduct script insertion attacks.

Input passed within HTML e-mail messages is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires that the victim user is running Firefox or Opera.

The vulnerability is reported in versions prior to 2.4.14, 3.0.16, and 3.1.10.

Update to version 2.4.14, 3.0.16, or 3.1.10.
Comment 1 Patrick Lauer gentoo-dev 2012-09-03 10:57:19 UTC
+  03 Sep 2012; Patrick Lauer <> +otrs-3.1.10.ebuild,
+  -otrs-3.1.8.ebuild, -otrs-3.1.9.ebuild:
+  Bump for #433770

All older versions removed
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-03 11:32:39 UTC
Closed as noglsa
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-04 09:24:09 UTC
CVE-2012-4600 (
  Cross-site scripting (XSS) vulnerability in Open Ticket Request System
  (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before
  3.1.10, when Firefox or Opera is used, allows remote attackers to inject
  arbitrary web script or HTML via an e-mail message body with nested HTML