CVE-2019-9752

NameCVE-2019-9752
DescriptionAn issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1721-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)buster/non-free6.0.16-2fixed
buster/non-free (security)6.0.16-2+deb10u1fixed
bullseye/non-free6.0.32-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2sourcejessie3.3.18-1+deb8u8DLA-1721-1
otrs2source(unstable)6.0.16-1

Notes

[stretch] - otrs2 <ignored> (Non-free not supported)
https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework/
OTRS 6: https://github.com/OTRS/otrs/commit/341c4096222819a108feb02256aba878943bf810
OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15
Search for package or bug name: Reporting problems