CVE-2019-9751

NameCVE-2019-9751
DescriptionAn issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free6.0.16-2fixed
bullseye/non-free, sid/non-free6.0.23-2fixed
jessie3.3.18-1+deb8u4fixed
jessie (security)3.3.18-1+deb8u11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)6.0.17-1
otrs2sourcebuster6.0.16-2
otrs2sourcejessie(not affected)

Notes

[stretch] - otrs2 <no-dsa> (Non-free not supported)
[jessie] - otrs2 <not-affected> (Vulnerable code not present)
https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework
OTRS 6: https://github.com/OTRS/otrs/commit/1afb2b995e59551b927c2105e234e8b87efcc37a

Search for package or bug name: Reporting problems