Description
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by Mike Eduard · pythonwebappswindows
https://www.exploit-db.com/exploits/22070
exploitdb
WORKING POC
by Mike Eduard · pythonwebappswindows
https://www.exploit-db.com/exploits/20959
References (7)
Core 7
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-01/msg00036.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/56093
Exploit x_refsource_confirm
http://znuny.com/assets/proof_of_concept_cve_2012-4751-znuny.py
Vendor Advisory x_refsource_confirm
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
Vendor Advisory x_refsource_confirm
http://znuny.com/en/#%21/advisory/ZSA-2012-03
US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/603276
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.org/files/117504/OTRS-3.1-Cross-Site-Scripting.html
Scores
EPSS
0.0555
EPSS Percentile
90.3%
Details
CWE
CWE-79
Status
published
Products (39)
otrs/otrs
2.4.0 beta1 (6 CPE variants)
otrs/otrs
2.4.1
otrs/otrs
2.4.2
otrs/otrs
2.4.3
otrs/otrs
2.4.4
otrs/otrs
2.4.5
otrs/otrs
2.4.6
otrs/otrs
2.4.7
otrs/otrs
2.4.8
otrs/otrs
2.4.9
... and 29 more
Published
Oct 22, 2012
Tracked Since
Feb 18, 2026