CVE-2019-10066

Name of the Vulnerable Software and Affected Versions: Open Ticket Request System (OTRS) versions 7.x through 7.0.6 Open Ticket Request System (OTRS) Community Edition versions 6.0.x through 6.0.17 OTRSAppointmentCalendar versions 5.0.x through 5.0.12

Description: An issue was discovered that allows an attacker, logged in as an agent with appropriate permissions, to create a carefully crafted calendar appointment. This can cause the execution of JavaScript in the context of OTRS.

Recommendations: For OTRS versions 7.x through 7.0.6, update to a version outside of this range to resolve the issue. For OTRS Community Edition versions 6.0.x through 6.0.17, update to a version outside of this range to resolve the issue. For OTRSAppointmentCalendar versions 5.0.x through 5.0.12, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the creation of calendar appointments by agents until a patch is available.