Candidate: CVE-2019-16375
PublicDate: 2020-03-19 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16375
 https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/
 https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 (6.x)
 https://github.com/OTRS/otrs/commit/03ca8f396b1aa9933c212a63f52a9ea26c06e7da (5.x)
Description:
 An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through
 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through
 6.0.22. An attacker who is logged in as an agent or customer user with
 appropriate permissions can create a carefully crafted string containing
 malicious JavaScript code as an article body. This malicious code is
 executed when an agent composes an answer to the original article.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [5.4 MEDIUM]


Patches_otrs2:
upstream_otrs2: released (6.0.23-1)
precise/esm_otrs2: DNE
trusty_otrs2: ignored (out of standard support)
trusty/esm_otrs2: DNE
xenial_otrs2: ignored (end of standard support, was needs-triage)
bionic_otrs2: needs-triage
disco_otrs2: ignored (reached end-of-life)
eoan_otrs2: ignored (reached end-of-life)
focal_otrs2: not-affected (6.0.23-2)
groovy_otrs2: not-affected (6.0.23-2)
hirsute_otrs2: not-affected (6.0.23-2)
impish_otrs2: not-affected (6.0.23-2)
jammy_otrs2: not-affected (6.0.23-2)
devel_otrs2: not-affected (6.0.23-2)