Vulnerability Description
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Otrs | Otrs | >= 5.0.0, <= 5.0.41 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlBroken Link
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://otrs.com/release-notes/otrs-security-advisory-2020-08/Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlBroken Link
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://otrs.com/release-notes/otrs-security-advisory-2020-08/Vendor Advisory
FAQ
What is CVE-2020-1771?
CVE-2020-1771 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter enco...
How severe is CVE-2020-1771?
CVE-2020-1771 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-1771?
Check the references section above for vendor advisories and patch information. Affected products include: Otrs Otrs.