CVE-2012-2582

OTRS Help Desk <2.4.13, OTRS ITSM <3.0.15 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2582. PoCs published by loneferret.

AI-analyzed exploit summary This exploit demonstrates an XSS vulnerability in OTRS 3.1.4 by sending a malicious email with an embedded XSS payload. The payload uses CSS expression-based injection to trigger an alert dialog.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element.

Exploits (1)

exploitdb WORKING POC VERIFIED

by loneferret · pythonwebappswindows

https://www.exploit-db.com/exploits/20359

View Code ZIP pw:eip

This exploit demonstrates an XSS vulnerability in OTRS 3.1.4 by sending a malicious email with an embedded XSS payload. The payload uses CSS expression-based injection to trigger an alert dialog.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: OTRS Open Technology Real Services 3.1.4 (Windows)

Auth required

Prerequisites: Valid SMTP credentials · Access to the SMTP server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-updates/2012-09/msg00024.html

Vendor Advisory x_refsource_confirm

http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/

Exploit, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/582879

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/50513

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2012/dsa-2536

Scores

EPSS 0.0420

EPSS Percentile 89.6%

Details

CWE

CWE-79

Status published

Products (39)

otrs/otrs 2.4.0 beta1 (6 CPE variants)

otrs/otrs 2.4.1

otrs/otrs 2.4.2

otrs/otrs 2.4.3

otrs/otrs 2.4.4

otrs/otrs 2.4.5

otrs/otrs 2.4.6

otrs/otrs 2.4.7

otrs/otrs 2.4.8

otrs/otrs 2.4.9

... and 29 more

Published Aug 23, 2012

Tracked Since Feb 18, 2026