Hi,
today I got the following OTRS Security Advisory (with mistakes, it looks like cut&past mistakes from the last one)
http://www.otrs.com/en/open-source/comm ... y-2012-02/
[...]
Date: Aug 30, 2012
Title: XSS vulnerability in Internet Explorer
Common Vulnerabilities and Exposures: CVE-2012-2582
[...]
Unfortunately there are several mistakes in there:
a) It's not on Internet Explorer, it's on Firefox and Opera
b) CVE-2012-2582 was the number of the advisory before (2012-01), the new one is CVE-2012-4600
I was not looking deeper but here is the correct advisory of the reporter:
http://znuny.com/en/#!/advisory/ZSA-2012-02
Security Advisory 2012-02 (cut&past mistakes)
Moderator: crythias
-
mikeeduard
- Znuny newbie
- Posts: 10
- Joined: 19 Aug 2012, 09:43
- Znuny Version: 3.1.x
- Real Name: Mike Eduard
- Company: Znuny GmbH
Re: Security Advisory 2012-02
Hi,
here is the correct text of the advisory (it will be fixed on webpage soon)
here is the correct text of the advisory (it will be fixed on webpage soon)
OTRS Security Advisory 2012-02
ID: OSA-2012-02
Date: 2011-08-30
Title: XSS vulnerability
Severity: Less critical
Product: OTRS 2.4.x, 3.0.x, 3.1.x
Fixed in: OTRS 2.4.14, 3.0.16, 3.1.10
URL: http://otrs.org/advisory/OSA-2012-02-en/
CVE: CVE-2012-4600
This Advisory covers vulnerabilities discovered in the OTRS core system.
XSS vulnerability
An attacker could send a specially prepared HTML email to OTRS which will cause JavaScript code to be executed when the email is displayed. This is achieved with an invalid HTML structure with nested tags.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including 3.1.9.
This vulnerability is fixed in OTRS 2.4.14, 3.0.16 and 3.1.10, and it is recommended to upgrade to one of these versions.
Fixed OTRS releases can be found at:
http://otrs.org/releases/
As a workaround it is also possible to replace the following files with a fixed version.
OTRS 3.1.x:
Kernel/System/HTMLUtils.pm 1.35.2.3
OTRS 3.0.x:
Kernel/System/HTMLUtils.pm 1.27.2.5
OTRS 2.4.x:
Kernel/Modules/CustomerTicketAttachment.pm 1.17.2.7
Kernel/Modules/AgentTicketAttachment.pm 1.22.2.7
Also available on http://source.otrs.org/.
Thanks to Znuny GmbH for reporting this vulnerability!
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
-
mikeeduard
- Znuny newbie
- Posts: 10
- Joined: 19 Aug 2012, 09:43
- Znuny Version: 3.1.x
- Real Name: Mike Eduard
- Company: Znuny GmbH
Re: Security Advisory 2012-02 (cut&past mistakes)
Thanks for the fast response.
PS: Important, it's only with Firefox and Opera!
PS: Important, it's only with Firefox and Opera!