CVE-2017-9299

Name of the Vulnerable Software and Affected Versions Open Ticket Request System (OTRS) versions prior to 3.3.20

Description The issue concerns a Cross-Site Scripting (XSS) attack. Specifically, it affects index.pl requests with the Action=AgentStats parameter. The vulnerability can be exploited through the OrderBy and Direction parameters, allowing for XSS attacks, as demonstrated by OrderBy=[XSS] and Direction=[XSS].

Recommendations For versions prior to 3.3.20, update to version 3.3.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the index.pl endpoint with the Action=AgentStats parameter to minimize the risk of exploitation. Avoid using the OrderBy and Direction parameters in the affected API endpoint until the issue is resolved.