CVE-2022-39050 MEDIUM

CVE-2022-39050: Possible XSS stored in customer information

Vendor Otrs Ag
Product OTRS
Weakness CWE-79 · XSS
Published September 5, 2022
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap

Key dates

02Disclosure timeline

September 5, 2022 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-46532 WordPress Tooltip plugin <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-9439 1000projects Online Project Report Submission and Evaluation System edit_faculty.php cross site scripting CVE-2024-9141 Cross-Site Scripting (XSS) vulnerability in Oct8ne CVE-2025-31445 WordPress Pages Order plugin <= 1.1.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-1277 Ocean Extra <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting