CVE-2023-5421

EUVD-2023-57736
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs 
immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.
This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.5 LOW
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
OTRSCNA
3.5 LOW
ADJACENT_NETWORK
LOW
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
otrsotrs
6.0.0 ≤
𝑥
≤ 6.0.34
otrsotrs
7.0.0 ≤
𝑥
< 7.0.47
otrsotrs
8.0.0 ≤
𝑥
< 8.0.37
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
otrs2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
ignored
xenial
needs-triage
znuny
bionic
dne
focal
dne
jammy
dne
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://otrs.com/release-notes/otrs-security-advisory-2023-09/
https://otrs.com/release-notes/otrs-security-advisory-2023-09/