CVE-2010-4071

Vulnerability

In OTRS 2.4.x before 2.4.9, the AgentTicketZoom component does not properly sanitize JavaScript embedded in HTML emails when the RichText feature is enabled [1][2][3]. An attacker can send an email containing malicious JavaScript to an OTRS system address. If an agent views the email in the web interface, the script executes in the agent's session context. Affected versions are all releases of OTRS 2.4.x up to and including 2.4.8 [1][2]. The vulnerability is fixed in OTRS 2.4.9 [1][2].

Exploitation

An external attacker does not require authentication; they only need to send an HTML email to the OTRS system address [1][3]. The email must contain JavaScript code that will be executed when the agent views the ticket. The attacker does not need any special network position beyond being able to send email to the target system. The user interaction required is that an agent opens the email in AgentTicketZoom [1][2]. The exploit can be crafted so that the agent does not realize they are being attacked [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the OTRS agent's web interface [1][2]. This means the attacker can perform any action the agent can, such as viewing or modifying tickets, reading sensitive information, or performing administrative tasks depending on the agent's privileges [1][2]. The confidentiality, integrity, and availability of the OTRS system are at risk, with the primary impact being information disclosure and unauthorized actions.

Mitigation

The vulnerability is fixed in OTRS version 2.4.9 [1][2]. All users of OTRS 2.4.x should upgrade to 2.4.9 or later (e.g., 2.4.10, 3.0.7) [2]. If upgrading is not immediately possible, disabling the RichText feature can reduce the attack surface, but this workaround is not explicitly recommended in the references. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.