CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-38057 – XSS stored in survey answers
https://notcve.org/view.php?id=CVE-2023-38057
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22. • https://otrs.com/release-notes/otrs-security-advisory-2023-06 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-27852 – Checkbox Survey Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2021-27852
Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions prior to 7. Una vulnerabilidad de Deserialización de Datos No Confiables en la biblioteca CheckboxWeb.dll de Checkbox Survey, permite a un atacante remoto no autenticado ejecutar código arbitrario. Este problema afecta: Checkbox Survey versiones anteriores a 7 Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. • https://www.kb.cert.org/vuls/id/706695 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21434 – XSS in Survey Module
https://notcve.org/view.php?id=CVE-2021-21434
Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface (i.e. another agent who wants to make changes in the survey). This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions. El administrador de la encuesta puede diseñar una encuesta tal que pueda ser ejecutado un código malicioso en la interfaz del agente (es decir, otro agente que quiera hacer cambios en la encuesta). Este problema afecta: OTRS AG Survey versiones 6.0.x versión 6.0.20 y versiones anteriores; versiones 7.0.x versión 7.0.19 y versiones anteriores • https://otrs.com/release-notes/otrs-security-advisory-2021-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •