Sprache wechseln auf deutsch
Znuny Professional Services

The ((OTRS)) Community Edition Fork with long-term Support (LTS)

Overview

ZSA-2026-02

Date
2026-03-25
Affected
All versions of Znuny LTS from 6.5.1 up to including 6.5.18.
All versions of Znuny from 7.2.1 up to including 7.2.3.
All versions of Znuny 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, and 7.1.
Severity
medium
CVE
CVE-2025-59490

A Reflected Cross-Site Scripting (XSS) vulnerability exists in multiple Action endpoints of the application due to insufficient validation and sanitization of user-supplied parameters. Specifically, parameters such as QueueID, OrderBy, ServiceID, and SortBy are reflected back into the response without proper encoding, enabling attackers to inject arbitrary JavaScript. When a crafted malicious URL is delivered to a victim (e.g., via phishing or social engineering) and subsequently accessed, the payload executes in the victim's browser within the security context of their session. For privileged accounts such as administrators, this can lead to theft of sensitive session information (SessionID) and allow full account takeover.

Fixed in: Znuny LTS 6.5.19 and Znuny 7.3.1