CVE-2017-9299

NameCVE-2017-9299
DescriptionOpen Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u1undetermined
buster/non-free, sid/non-free5.0.22-1undetermined
wheezy3.1.7+dfsg1-8+deb7u5undetermined
wheezy (security)3.1.7+dfsg1-8+deb7u6undetermined
jessie (security), jessie3.3.9-3+deb8u1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)undeterminedmedium

Notes

The issue is most likely fixed in the 3.x series already before 3.3.17.
The exact issue, fixing commits and upstream version was not yet tracked
down.

Search for package or bug name: Reporting problems