XSS attack in Firefox and Opera possible
An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.9.
As workaround you need to disable the rich text feature via SysConfig.
Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).
- Security patch for OTRS 5
- Security patch for OTRS 4