CVE-2013-2637

MEDIUM

OTRS FAQ < 2.0.8 and OTRS ITSM < 3.0.7 - Cross-Site Scripting via Changes, Workorder Items, and FAQ Articles

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-2637. PoCs published by Luigi Vezzoso.

AI-analyzed exploit summary This is a writeup describing a persistent XSS vulnerability in OTRS ITSM FAQ Module versions 3.2.x and below. The exploit involves injecting JavaScript into the 'Symptoms' field of a FAQ, which executes when viewed by other users.

Description

A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Luigi Vezzoso · textwebappsmultiple
https://www.exploit-db.com/exploits/24922

This is a writeup describing a persistent XSS vulnerability in OTRS ITSM FAQ Module versions 3.2.x and below. The exploit involves injecting JavaScript into the 'Symptoms' field of a FAQ, which executes when viewed by other users.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OTRS ITSM 3.2.x, OTRS ITSM 3.1.x, OTRS ITSM 3.0.x, FAQ 2.1.x, FAQ 2.0.x
Auth required
Prerequisites: User credentials with permission to add a FAQ
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://lists.opensuse.org/opensuse-updates/2013-08/msg00027.html
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/58930
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://www.exploit-db.com/exploits/24922
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/83288

Scores

CVSS v3 6.1
EPSS 0.0420
EPSS Percentile 89.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (4)
opensuse/opensuse 12.2
opensuse/opensuse 12.3
otrs/faq < 2.0.8
otrs/otrs_itsm < 3.0.7
Published Feb 12, 2020
Tracked Since Feb 18, 2026