SECURITY ADVISORY
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- OCTOBER 05, 2023
- Security Patch Release
- MEDIUM
- OTOBO 10.1
- https://nvd.nist.gov/vuln/detail/CVE-2023-5421
Injecting JavaScript code through customer management
Description
Problem
- XSS Vulnerability: An attacker logged in as a user with permissions to create and modify customer data could manipulate the CustomerID field to execute JavaScript code, which would be executed immediately after saving the data. This issue only occurs if the AdminCustomerUser::UseAutoComplete configuration was previously changed.
Special thanks to Tim Püttmanns (maxence) for bringing this vulnerability to our attention.
Potential Consequences
JS code execution occurs immediately after save.
Measure for secure operation
Update to OTOBO 10.1.8
A security patch is now available to address this issue. Please upgrade your system to ensure protection.
Bug Fixes
- [Enhancement] Added an optional leeway, i.e., a buffer for timestamp verification during OpenID Connect authentication.
- [Translation] Translations into Arabic (Saudi Arabia), German, French, Japanese, Norwegian, Polish, and Russian. Thanks to the community.
- [bugfix] Fixed an error where customers were prompted to change their password in the agent interface via AdminCustomerUser after modifying their data.
- [bugfix] Corrected the usage of the ‘AuthSyncModule::LDAP::GroupDN’ option.
- [bugfix] Enabled the use of dynamic fields in ElasticSearch searches. Special thanks to wetzf for the pull request.
- [bugfix] Hid the response toggle button in CustomerTicketZoom for closed tickets that cannot be reopened.
- [bugfix] Fixed an error in SysConfig, which restricted the functionality of keys with ### in the frontend.
Have a question? We’re here to help. Drop us a line.
As a support customer, you require assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
