SECURITY ADVISORY
Injecting custom JS code through customer management
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- October 05,.2023
- Security Patch Release
- MEDIUM
- OTOBO 10.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-5421
Description
Problem
- XSS Vulnerability: An attacker logged in as a user with permissions to create and modify customer data could manipulate the CustomerID field to execute JavaScript code, which would be executed immediately after saving the data. This issue only occurs if the AdminCustomerUser::UseAutoComplete configuration was changed previously.
- Header Injection Fix: We have addressed a vulnerability that allowed header injection via web services in systems where these were enabled.
Special thanks to Tim Püttmanns (maxence) for bringing these vulnerabilities to our attention.
Potential Consequences
- Immediate JavaScript code execution after save.
- Web service header injection vulnerability.
Measures for secure operation
Update to OTOBO 10.0.19
A security patch is now available to address this issue. Please upgrade your system to ensure protection.
Bug Fixes
- [Enhancement] Added an optional leeway, i.e., a buffer for timestamp verification during OpenID Connect authentication.
- [bugfix] Fixed an error where customers were prompted to change their password in the agent interface via AdminCustomerUser after modifying their data.
- [bugfix] Corrected the usage of the ‘AuthSyncModule::LDAP::GroupDN’ option.
- [bugfix] Enabled the use of dynamic fields in ElasticSearch searches. Special thanks to wetzf for the pull request.
Have a question? We’re here to help. Drop us a line.
If you’re a support customer and need help with the security patch, please reach out to us through your support portal login.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
