Balázs Úr

**Name of the Vulnerable Software and Affected Versions** otrs (affected versions not specified) **Description** The issue allows an attacker to determine if a provided username exists and is valid by utilizing the Request New Password feature. This is achieved based on the response time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OTRS AG OTRS versions 7.0.0 through 7.0.32 OTRS AG OTRS versions 8.0.0 through 8.0.19 **Description** A malicious translator can inject JavaScript code into translatable strings where HTML is allowed. This code can be executed in the Package manager. **Recommendations** For OTRS AG OTRS versions 7.0.0 through 7.0.32, update to a version later than 7.0.32 to resolve the issue. For OTRS AG OTRS versions 8.0.0 through 8.0.19, update to a version later than 8.0.19 to resolve the issue. As a temporary workaround, consider restricting the ability to inject JavaScript code into translatable strings until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OTRS AG Time Accounting versions prior to 7.0.19 **Description** The issue allows for the injection of malicious JS code into certain fields in the project create screen. This code may be executed in the Reporting screen. **Recommendations** For versions prior to 7.0.19, update to version 7.0.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the Reporting screen and the project create screen to minimize the risk of exploitation. Avoid using the affected fields in the project create screen until the issue is resolved.