CVE-2022-39050

Name of the Vulnerable Software and Affected Versions OTRS (affected versions not specified)

Description The issue allows an attacker logged in as an admin user to manipulate the customer URL field, storing JavaScript code that can be executed later by any agent when clicking the customer URL link. This stored JavaScript is executed in the context of OTRS. A similar issue applies to the use of external data sources, such as databases or LDAP. The vulnerability is related to the lack of protection of the web page structure, which can allow a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For all affected versions, consider disabling the ability to store and execute JavaScript code in the customer URL field as a temporary workaround until a patch is available. Restrict access to external data sources, such as databases or LDAP, to minimize the risk of exploitation. Avoid using the customer URL field until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.