Upstream has issued an advisory on February 25: https://www.otrs.com/security-advisory-2014-03-xss-issue/ The issue is fixed upstream in 3.2.15. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated otrs package fixes security vulnerability: An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed (CVE-2014-1695). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1695 https://www.otrs.com/security-advisory-2014-03-xss-issue/ http://www.otrs.com/release-notes-otrs-help-desk-3-2-15/ ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.15-1.mga3 otrs-3.2.15-1.mga4 from SRPMS: otrs-3.2.15-1.mga3.src.rpm otrs-3.2.15-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Version: Cauldron => 4Whiteboard: (none) => MGA3TOO
did not found how to check this vulnerability... tested general installation of otrs on MGA4 32bit: - installed version from core and run installer - log into otrs - update installed version from update-testing - log into update orts --> no errors detected - delete existing database - re-run installer to install updated version - log into otrs --> no errors detected update tested successfully in MGA4 32bit
CC: (none) => marc.lattemannWhiteboard: MGA3TOO => MGA3TOO MGA4-32-OK
update tested successfully in MGA4 64bit based on comment #1
Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK
update tested successfully in MGA3 32bit
update tested successfully in MGA3 64bit. If tests above are sufficient, than advisory can be uploaded and validated.
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA-64-OK
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => tmb, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0114.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/589096/