ad-password arrow-down-ring arrow-left arrow-right auto-select cog customer-id excel-statistics external-link featured github icn-admin icn-developer icn-evaluierung icn-installation icn-keyuser icn-konzeptionierung icn-master icn-performance icn-review last-contact linkedin map-person messages multi-upload no-eye out-of-office password-guidlines pending-time phone plus proxy-support quick-close search service-catalog setting-search shield sugarcrm-integration tag-cloud ticket-create twitter watch-arrow watchlist xing


XSS attack in Firefox and Opera possible


An attacker could trick a logged in user to execute malicious java script code by sending a prepared email into OTRS.
Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.13, OTRS 3.0.x up to and including 3.0.15, as well as all 3.1.x versions up to and including 3.1.9.


As workaround you need to disable the rich text feature via SysConfig.


Upgrade to the latest available OTRS patch level (


  • Security patch for OTRS 5
  • Security patch for OTRS 4