Malicious email can cause browser to load external files.
An attacker who sends a malicious email to OTRS can cause the browser to load external files if the agent quotes the email.
Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).
As a workaround, you can replace the affected files (see below for download). Then, activate SysConfig option Ticket::Frontend::BlockLoadingRemoteContent.
ATTENTION: A lot of OTRS files are affected. Please check if any of these files have been changed in your OTRS installation by additional add-ons. In that case you MUST NOT simply overwrite the files with the ones provided below. Please contact us instead.