CVE-2019-9752
MEDIUMOTRS 5.x < 5.0.34, 6.x < 6.0.16, 7.x < 7.0.4 - Stored Cross-Site Scripting via Picture Upload Content-Type Mishandling
Title source: llmDescription
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.
References (5)
Core 5
Core References
Patch, Vendor Advisory x_refsource_misc
https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
Scores
CVSS v3
5.4
EPSS
0.0059
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
opensuse/backports_sle
15.0 sp1 (2 CPE variants)
opensuse/leap
15.1
opensuse/leap
15.2
otrs/otrs
5.0.0 - 5.0.34
Published
Mar 13, 2019
Tracked Since
Feb 18, 2026