Adam Ziaja

**Name of the Vulnerable Software and Affected Versions** DASAN Zhone ZNID GPON 2426A EU version S3.1.285 **Description** The issue affects the web interface of the device, allowing a remote attacker to execute arbitrary JavaScript code via manipulation of unsanitized GET parameters. Specifically, the `name` parameter in the `/zhndnsdisplay.cmd` endpoint and the `wlWscCfgMethod` and `wl wsc reg` parameters in the `/wlsecrefresh.wl` endpoint are vulnerable. This could potentially lead to Cross-Site Scripting (XSS) attacks. **Recommendations** For DASAN Zhone ZNID GPON 2426A EU version S3.1.285, consider disabling access to the `/zhndnsdisplay.cmd` and `/wlsecrefresh.wl` endpoints until a patch is available. Additionally, restrict the use of the `name`, `wlWscCfgMethod`, and `wl wsc reg` parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Ticket Request System (OTRS) versions 3.1.x through 3.1.19 Open Ticket Request System (OTRS) versions 3.2.x through 3.2.14 Open Ticket Request System (OTRS) versions 3.3.x through 3.3.4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email. This can lead to the execution of malicious code on the victim's browser. **Recommendations** For OTRS versions 3.1.x through 3.1.19, update to version 3.1.20 or later. For OTRS versions 3.2.x through 3.2.14, update to version 3.2.15 or later. For OTRS versions 3.3.x through 3.3.4, update to version 3.3.5 or later.