William Bastos

**Name of the Vulnerable Software and Affected Versions** OTRS Community Edition versions 6.x and earlier OTRS Community Edition versions 7.0.x **Description** Improper neutralization of user-controllable input in ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS), which is a technique where malicious scripts are injected into a trusted website and reflected back to the user. By injecting malicious JavaScript into manipulated request URLs via crafted request parameters associated with ticket actions, attackers can execute arbitrary script code within the context of an authenticated agent session when the crafted link is opened. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 versions prior to 5.9.5 **Description** The issue allows an attacker to utilize a false URL and redirect to the URL of their choosing, due to an open redirect in the plugin. **Recommendations** For versions prior to 5.9.5, update to version 5.9.5 or later to resolve the issue.