CVE-2021-36092

NameCVE-2021-36092
DescriptionIt's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6undetermined
buster/non-free6.0.16-2undetermined
bullseye/non-free6.0.32-6undetermined
bookworm/non-free, sid/non-free6.0.36-2undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)undetermined

Notes

https://otrs.com/release-notes/otrs-security-advisory-2021-15/
Unclear whether this affects Znuny, they could not reproduce it:
https://github.com/znuny/Znuny/issues/105#issuecomment-894013730

Search for package or bug name: Reporting problems