CVE-2012-4751

OTRS Help Desk <2.4.15, <3.0.17, <3.1.11 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Mike Eduard · pythonwebappswindows

https://www.exploit-db.com/exploits/22070

View Code ZIP pw:eip

exploitdb WORKING POC

by Mike Eduard · pythonwebappswindows

https://www.exploit-db.com/exploits/20959

View Code ZIP pw:eip

References (7)

[Mailing List] http://lists.opensuse.org/opensuse-updates/2013-01/msg00036.html

[Exploit, Third Party Advisory] http://packetstormsecurity.org/files/117504/OTRS-3.1-Cross-Site-Scripting.html

[US Government Resource] http://www.kb.cert.org/vuls/id/603276

[Vendor Advisory] http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/56093

[Exploit] http://znuny.com/assets/proof_of_concept_cve_2012-4751-znuny.py

[Vendor Advisory] http://znuny.com/en/#%21/advisory/ZSA-2012-03

Scores

EPSS 0.0786

EPSS Percentile 91.9%

Details

CWE

CWE-79

Status published

Products (50)

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

otrs/otrs

... and 40 more

Published Oct 22, 2012

Tracked Since Feb 18, 2026