Vulnerability CVE-2019-9751

Vulnerability Name:

CVE-2019-9751 (CCN-159206)

Assigned:

2019-03-08

Published:

2019-03-08

Updated:

2019-03-15

Summary:

An issue was discovered in Open Ticket Request System (OTRS) 6.x before 6.0.17 and 7.x before 7.0.5. An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS. This is related to Kernel/Output/Template/Document.pm.

CVSS v3 Severity:

4.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2019-9751

Source: MISC
Type: Patch, Vendor Advisory
https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework

Source: CCN
Type: OTRS Security Advisory 2019-02
Security Update for OTRS Framework

Source: XF
Type: UNKNOWN
otrs-cve20199751-xss(159206)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-9751

Vulnerable Configuration:

Configuration 1:

cpe:/a:otrs:otrs:*:*:*:*:*:*:*:* (Version >= 6.0.0 and < 6.0.17)

OR cpe:/a:otrs:otrs:*:*:*:*:*:*:*:* (Version >= 7.0.0 and < 7.0.5)

Configuration CCN 1:

cpe:/a:otrs:otrs:6.0.16:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:7.0.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.disco:def:201997510000000	V	CVE-2019-9751 on Ubuntu 19.04 (disco) - medium.	2019-03-13
oval:com.ubuntu.bionic:def:20199751000	V	CVE-2019-9751 on Ubuntu 18.04 LTS (bionic) - medium.	2019-03-13
oval:com.ubuntu.cosmic:def:201997510000000	V	CVE-2019-9751 on Ubuntu 18.10 (cosmic) - medium.	2019-03-13
oval:com.ubuntu.cosmic:def:20199751000	V	CVE-2019-9751 on Ubuntu 18.10 (cosmic) - medium.	2019-03-13
oval:com.ubuntu.bionic:def:201997510000000	V	CVE-2019-9751 on Ubuntu 18.04 LTS (bionic) - medium.	2019-03-13
oval:com.ubuntu.trusty:def:20199751000	V	CVE-2019-9751 on Ubuntu 14.04 LTS (trusty) - medium.	2019-03-13
oval:com.ubuntu.xenial:def:201997510000000	V	CVE-2019-9751 on Ubuntu 16.04 LTS (xenial) - medium.	2019-03-13
oval:com.ubuntu.xenial:def:20199751000	V	CVE-2019-9751 on Ubuntu 16.04 LTS (xenial) - medium.	2019-03-13

BACK