Vulnerability CVE-2012-4600 - CERT Civis.Net

Vulnerability Name:

CVE-2012-4600 (CCN-78238)

Assigned:

2012-08-30

Published:

2012-08-30

Updated:

2018-08-13

Summary:

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.1 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2012-4600

Source: CCN
Type: Open Ticket Request System Web Site
OTRS.org

Source: CCN
Type: Packetstorm Security Website
OTRS Open Technology Real Services 3.1.8 / 3.1.9 XSS

Source: CCN
Type: SA50465
OTRS Email Body Script Insertion Vulnerability

Source: SECUNIA
Type: UNKNOWN
50615

Source: DEBIAN
Type: DSA-2536
otrs2 -- cross-site scripting

Source: CCN
Type: US-CERT VU#511404
Open Technology Real Services nested tags cross-site scripting vulnerability

Source: CERT-VN
Type: Exploit, US Government Resource
VU#511404

Source: CCN
Type: Security Advisory 2012-02
XSS vulnerability in Firefox and Opera

Source: CONFIRM
Type: Vendor Advisory
http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2012-02/

Source: CCN
Type: BID-55328
OTRS Email Body CVE-2012-4600 HTML Injection Vulnerability

Source: CCN
Type: ZSA-2012-02
XSS attack in Firefox and Opera possible

Source: MISC
Type: UNKNOWN
http://znuny.com/en/#!/advisory/ZSA-2012-02

Source: XF
Type: UNKNOWN
otrs-message-body-xss(78238)

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [08-31-2012]

Vulnerable Configuration:

Configuration 1:

cpe:/a:otrs:otrs:2.4.0:beta1:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta2:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta3:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta4:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta5:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta6:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.8:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.9:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.10:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.11:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.12:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.13:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:otrs:otrs:3.0.0:beta1:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta5:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta6:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta7:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.8:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.9:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.10:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.11:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.12:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.13:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.14:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.15:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.6:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:otrs:otrs:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.8:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.9:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:otrs:otrs:2.4.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.8:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.10:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta1:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta1:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.9:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta7:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta6:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta5:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.0:beta4:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta2:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta3:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta4:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta5:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.0:beta6:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.12:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.13:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:2.4.11:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.8:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.9:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.11:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.10:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.13:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.12:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.15:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.0.14:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.0:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.5:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.4:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.8:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.9:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:3.1.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20124600	V	CVE-2012-4600	2022-06-30
oval:org.opensuse.security:def:113077	P	otrs-3.3.16-37.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106514	P	Security update for apache2 (Important) (in QA)	2022-01-10
oval:org.mitre.oval:def:17986	P	DSA-2536-1 otrs2 - cross-site scripting	2014-06-23
oval:com.ubuntu.bionic:def:201246000000000	V	CVE-2012-4600 on Ubuntu 18.04 LTS (bionic) - medium.	2012-08-31
oval:com.ubuntu.artful:def:20124600000	V	CVE-2012-4600 on Ubuntu 17.10 (artful) - medium.	2012-08-31
oval:com.ubuntu.xenial:def:20124600000	V	CVE-2012-4600 on Ubuntu 16.04 LTS (xenial) - medium.	2012-08-31
oval:com.ubuntu.xenial:def:201246000000000	V	CVE-2012-4600 on Ubuntu 16.04 LTS (xenial) - medium.	2012-08-31
oval:com.ubuntu.bionic:def:20124600000	V	CVE-2012-4600 on Ubuntu 18.04 LTS (bionic) - medium.	2012-08-31
oval:com.ubuntu.precise:def:20124600000	V	CVE-2012-4600 on Ubuntu 12.04 LTS (precise) - medium.	2012-08-31
oval:com.ubuntu.trusty:def:20124600000	V	CVE-2012-4600 on Ubuntu 14.04 LTS (trusty) - medium.	2012-08-31