CVE-2024-43443

EUVD-2024-40280

26.08.2024, 09:15

Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins.
This issue affects: 

  *  OTRS from 7.0.X through 7.0.50
  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS from 2024.X through 2024.5.X
  *  ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
OTRS	CNA	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Ubuntu Releases

Ubuntu Product

Codename

znuny

focal	dne
jammy	dne
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage

Common Weakness Enumeration

CWE-790 - Improper Filtering of Special Elements
The software receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.

References

https://otrs.com/release-notes/otrs-security-advisory-2024-11/