ZSA-2020-02
Execution of JavaScript through uploaded SVG file
Problem
An uploaded manipulated SVG file can be used to execute JavaScript by incorrectly displaying it as an inline JPEG image.
Solution
Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).
Workaround
As a workaround, you can replace the affected files (see below for download).
ATTENTION: Please check if any of these files have been changed in your OTRS installation by additional add-ons. In that case you MUST NOT simply overwrite the files with the ones provided below. Please contact us instead.