CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-9752
https://notcve.org/view.php?id=CVE-2019-9752
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm. Se ha descubierto un problema en Open Ticket Request System (OTRS), en CVErsiones 5.x anteriores a la 5.0.34, CVErsiones 6.x anteriores a la 6.0.16 y CVErsiones 7.x anteriores a la 7.0.4. Un atacante que haya iniciado sesión en OTRS como usuario agente o cliente podría subir un recurso manipulado para provocar la ejecución de JavaScript en el contexto de OTRS. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-9751
https://notcve.org/view.php?id=CVE-2019-9751
An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm. Se ha descubierto un problema en Open Ticket Request System (OTRS), en CVErsiones 6.x, anteriores a la 6.0.17 y CVErsiones 7.x anteriores a la 7.0.5. Un atacante que haya iniciado sesión en OTRS como usuario administrador podría manipular la URL para provocar la ejecución de JavaScript en el contexto de OTRS. • https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •