CVE-2023-5421

Name of the Vulnerable Software and Affected Versions OTRS versions 7.0.X through 7.0.46 OTRS versions 8.0.X through 8.0.36 OTRS Community Edition versions 6.0.X through 6.0.34

Description An attacker who is logged into OTRS as a user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediately after the data is saved. The issue only occurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.

Recommendations For OTRS versions 7.0.X through 7.0.46, update to version 7.0.47 or later. For OTRS versions 8.0.X through 8.0.36, update to version 8.0.37 or later. For OTRS Community Edition versions 6.0.X through 6.0.34, update to version 6.0.35 or later. As a temporary workaround, consider restricting access to the CustomerID field until a patch is available. Restrict the use of the AdminCustomerUser::UseAutoComplete configuration to minimize the risk of exploitation.