CVE-2023-5421 LOW

CVE-2023-5421: Possible XSS execution in customer information

Vendor Otrs Ag

Product OTRS

Weakness CWE-20 · Input validation

Published October 16, 2023

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Adjacent

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

Key dates

02Disclosure timeline

October 16, 2023 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-5421

Related vulnerabilities

Identifiers

CVE CVE-2023-5421

CWE CWE-20

CVSS 3.5 / LOW

Affected versions

Vendor Otrs Ag

Product OTRS

Affected ≥ 7.0.x and < 7.0.47

Vendor Otrs Ag

Product OTRS

Affected ≥ 8.0.x and < 8.0.37

Vendor Otrs Ag

Product ((OTRS)) Community Edition

Affected ≥ 6.0.x and ≤ 6.0.34

CVE-2023-5421: Possible XSS execution in customer information

01Description

02Disclosure timeline

03References

04Related CVE