Cross-site scripting (XSS) vulnerability in Open Ticket Request System
(OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before
3.1.11 allows remote attackers to inject arbitrary web script or HTML via an
attribute of an element, as demonstrated by an IFRAME element.
A vulnerability has been reported in OTRS Help Desk, which can be exploited by malicious users to bypass certain security restrictions.
The vulnerability is caused due to an error within the object linking mechanism, which does not properly check for access restrictions and can be exploited to view otherwise restricted ticket titles and objects or place and remove links to objects.
The vulnerability is reported in versions prior to 3.2.4, 3.1.14, and 3.0.19.
Update to version 3.2.4, 3.1.14, or 3.0.19.
Provided and/or discovered by
The vendor credits André Luerssen.
3.2.4 is in tree. @maintainers: bump to 3.1.14 if you like, and please clean up.
ping for cleanup
Maintainer timeout, cleanup done, closing noglsa. @maintainers: Dropped the 3.1 branch since you all didn't bump it and 3.2 is getting the updates anyway.