866476 – (CVE-2014-1695) VUL-0: CVE-2014-1695: otrs: xss in html email

Bug 866476 (CVE-2014-1695) - VUL-0: CVE-2014-1695: otrs: xss in html email

Summary: VUL-0: CVE-2014-1695: otrs: xss in html email

Status:	RESOLVED FIXED

Alias:	CVE-2014-1695

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/96707/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-03-03 06:42 UTC by Marcus Meissner
Modified:	2015-02-19 01:48 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-03-03 06:42:18 UTC

CVE-2014-1695

This Advisory covers vulnerabilities discovered in the OTRS core system.

    An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed.

Affected by this vulnerability are all releases of OTRS 3.1.x up to and including 3.1.19, 3.2.x up to and including 3.2.14 and 3.3.x up to and including 3.3.4.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1695
http://www.cvedetails.com/cve/CVE-2014-1695/
https://www.otrs.com/security-advisory-2014-03-xss-issue
http://secunia.com/advisories/57018
http://www.securityfocus.com/bid/65844

Comment 1 Swamp Workflow Management 2014-03-03 23:00:12 UTC

bugbot adjusting priority

Comment 2 Christian Wittmer 2014-03-06 00:57:20 UTC

ongoing work

Comment 3 Christian Wittmer 2014-03-06 01:21:28 UTC

Maintenance Request created (for 12.3, 13.1):

https://build.opensuse.org/request/show/224825

Comment 4 Marcus Meissner 2014-03-13 08:10:01 UTC

released

Comment 5 Swamp Workflow Management 2014-03-13 09:04:24 UTC

openSUSE-SU-2014:0360-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 866476
CVE References: CVE-2014-1695
Sources used:
openSUSE 13.1 (src):    otrs-3.2.15-31.5.1
openSUSE 12.3 (src):    otrs-3.1.20-26.9.1