CVE-2023-5421

Summary

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

Affected Software

VendorProductVersion RangeStatus
OTRS AGOTRS7.0.x < 7.0.47affected
OTRS AGOTRS8.0.x < 8.0.37affected
OTRS AG((OTRS)) Community Edition6.0.x <= 6.0.34affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

Workarounds

Switch AdminCustomerUser::UseAutoComplete off

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References