Vulnerability CVE-2013-2637

Vulnerability Name:

CVE-2013-2637 (CCN-83288)

Assigned:

2013-04-02

Published:

2013-04-02

Updated:

2020-02-18

Summary:

A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2013-2637

Source: MISC
Type: Mailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-08/msg00027.html

Source: CCN
Type: SA52973
OTRS ITSM / FAQ Module Security Bypass and Script Insertion Vulnerabilities

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://www.exploit-db.com/exploits/24922

Source: CCN
Type: OTRS Web site
OTRS Help Desk software - OTRS IT Service Management software - Free Open Source Help Desk - Problem Management System - Customer Interaction Software | OTRS

Source: CCN
Type: Security Advisory 2013-02
OTRS XSS vulnerability

Source: CCN
Type: BID-58930
OTRS ITSM/FAQ Module CVE-2013-2637 Multiple HTML Injection Vulnerabilities

Source: MISC
Type: Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/58930

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/83288

Source: XF
Type: UNKNOWN
otrsfaq-cve20132637-xss(83288)

Source: CCN
Type: Packet Storm Security [04-07-2013]
OTRS FAQ Cross Site Scripting

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [04-08-2013]

Vulnerable Configuration:

Configuration 1:

cpe:/a:otrs:faq:*:*:*:*:*:*:*:* (Version < 2.0.8)

OR cpe:/a:otrs:faq:*:*:*:*:*:*:*:* (Version >= 2.1.0 and < 2.1.4)

OR cpe:/a:otrs:otrs_itsm:*:*:*:*:*:*:*:* (Version < 3.0.7)

OR cpe:/a:otrs:otrs_itsm:*:*:*:*:*:*:*:* (Version >= 3.1.0 and < 3.1.8)

OR cpe:/a:otrs:otrs_itsm:*:*:*:*:*:*:*:* (Version >= 3.2.0 and < 3.2.4)

Configuration 2:

cpe:/o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:otrs:otrs_itsm:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.0.6:*:*:*:*:*:*:*

OR cpe:/a:otrs:faq:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:otrs:faq:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs_itsm:3.2.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20132637	V	CVE-2013-2637	2022-06-30
oval:org.opensuse.security:def:113077	P	otrs-3.3.16-37.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106514	P	Security update for apache2 (Important) (in QA)	2022-01-10

BACK