National Cyber Awareness System

Vulnerability Summary for CVE-2012-2582

Overview

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Vulnerability Note: VU#582879

Name: VU#582879

Hyperlink:http://www.kb.cert.org/vuls/id/582879

External Source: CONFIRM

Name: http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/

Type: Advisory

Hyperlink:http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/

External Source: DEBIAN

Name: DSA-2536

Hyperlink:http://www.debian.org/security/2012/dsa-2536

External Source: SECUNIA

Name: 50513

Hyperlink:http://secunia.com/advisories/50513

External Source: SUSE

Name: openSUSE-SU-2012:1105

Hyperlink:http://lists.opensuse.org/opensuse-updates/2012-09/msg00024.html