CVE-2010-2080
Description
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in OTRS 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Open Ticket Request System (OTRS) versions 2.3.x prior to 2.3.6 and 2.4.x prior to 2.4.8 [1][3]. The vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. The exact input fields or parameters are not disclosed in the available references.
Exploitation
An attacker must have a valid authenticated account in OTRS to exploit these vulnerabilities. The attack vector is remote, and no additional privileges beyond standard user access are required. The specific steps are not detailed, but the attacker would likely submit crafted input through a vulnerable interface that is not properly sanitized.
Impact
Successful exploitation enables the attacker to inject arbitrary JavaScript or HTML into the application, which can be executed in the context of other users' sessions. This could lead to theft of session cookies, defacement, or phishing attacks within the OTRS environment.
Mitigation
The vulnerabilities are fixed in OTRS versions 2.3.6 and 2.4.8 [1][3]. Users should upgrade to these versions or apply the patches provided in the OTRS security advisory OSA-2010-02-en [1]. Debian has also released updated packages [3]. No workarounds are documented in the available references.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13cpe:2.3:a:otrs:otrs:2.3.1:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:otrs:otrs:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:otrs:otrs:2.4.7:*:*:*:*:*:*:*
- (no CPE)range: <2.3.6 or <2.4.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- otrs.org/advisory/OSA-2010-02-en/nvdVendor Advisory
- secunia.com/advisories/41381nvdVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.htmlnvd
- security-tracker.debian.org/tracker/CVE-2010-2080nvd
- www.securityfocus.com/bid/43264nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/61868nvd
News mentions
0No linked articles in our index yet.