Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 439336 (CVE-2012-4751) - <www-apps/otrs-3.2.4: XSS vulnerability (CVE-2012-4751,CVE-2013-2625)
Summary: <www-apps/otrs-3.2.4: XSS vulnerability (CVE-2012-4751,CVE-2013-2625)
Alias: CVE-2012-4751
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2012-10-22 22:30 UTC by GLSAMaker/CVETool Bot
Modified: 2014-08-25 22:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-10-22 22:30:53 UTC
CVE-2012-4751 (
  Cross-site scripting (XSS) vulnerability in Open Ticket Request System
  (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before
  3.1.11 allows remote attackers to inject arbitrary web script or HTML via an
  e-mail message body with whitespace before a javascript: URL in the SRC
  attribute of an element, as demonstrated by an IFRAME element.
Comment 1 Agostino Sarubbo gentoo-dev 2013-04-09 13:55:01 UTC :

A vulnerability has been reported in OTRS Help Desk, which can be exploited by malicious users to bypass certain security restrictions.

The vulnerability is caused due to an error within the object linking mechanism, which does not properly check for access restrictions and can be exploited to view otherwise restricted ticket titles and objects or place and remove links to objects.

The vulnerability is reported in versions prior to 3.2.4, 3.1.14, and 3.0.19.

Update to version 3.2.4, 3.1.14, or 3.0.19.

Provided and/or discovered by
The vendor credits André Luerssen.

Original Advisory
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-17 00:37:24 UTC
3.2.4 is in tree. @maintainers: bump to 3.1.14 if you like, and please clean up.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-17 21:37:17 UTC
ping for cleanup
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2014-08-25 22:54:45 UTC
Maintainer timeout, cleanup done, closing noglsa. @maintainers: Dropped the 3.1 branch since you all didn't bump it and 3.2 is getting the updates anyway.