OTRSCVELIST:CVE-2020-1766CVE-2020-1766 Improper handling of uploaded inline images
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
85.5%
Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
CNA Affected
[
{
"vendor": "OTRS AG",
"product": "((OTRS)) Community Edition",
"versions": [
{
"version": "5.0.x version 5.0.39 and prior versions",
"status": "affected"
},
{
"version": "6.0.x version 6.0.24 and prior versions",
"status": "affected"
}
]
},
{
"vendor": "OTRS AG",
"product": "OTRS",
"versions": [
{
"version": "7.0.x version 7.0.13 and prior versions",
"status": "affected"
}
]
}
]References
lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html
lists.debian.org/debian-lts-announce/2020/01/msg00027.html
lists.debian.org/debian-lts-announce/2023/08/msg00040.html
otrs.com/release-notes/otrs-security-advisory-2020-02/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
85.5%