OpenSuSE has issued an advisory today (April 22): http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html Upstream released version 3.2.16 on April 1 to fix these issues: https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/ Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated otrs package fixes security vulnerabilities: A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS (CVE-2014-2553). An attacker could embed OTRS in a hidden <iframe> tag of another page, tricking the user into clicking links in OTRS (CVE-2014-2554). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2554 https://www.otrs.com/security-advisory-2014-04-xss-issue/ https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/ https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/ http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.16-1.mga3 otrs-3.2.16-1.mga4 from SRPMS: otrs-3.2.16-1.mga3.src.rpm otrs-3.2.16-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Procedure in bug 12473
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga3 64 logged in, created an agent, logged out, logged back in as the agent. All OK.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga4 32 & 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0194.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
The advisory page seems to be incomplete. The email message is OK. Compare: http://advisories.mageia.org/MGASA-2014-0194.html https://ml.mageia.org/l/arc/updates-announce/2014-04/msg00062.html
Fixed, thanks for noticing It was the <iframe> tag in description breaking the page