CVE-2019-10067
Description
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logged-in agent with appropriate permissions can trigger XSS in OTRS by manipulating a URL, affecting versions 7.x to 7.0.6, CE 5.0.x to 5.0.35, and CE 6.0.x to 6.0.17.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Open Ticket Request System (OTRS) versions 7.x through 7.0.6, Community Edition 5.0.x through 5.0.35, and Community Edition 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS [1].
Exploitation
An attacker must be an authenticated agent with sufficient permissions. By crafting a malicious URL and tricking a victim (or themselves) into accessing it, the attacker can inject arbitrary JavaScript into the OTRS interface. The exact sequence involves constructing a URL that passes JavaScript code through a parameter, which is then reflected or processed without sanitization [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the OTRS session. This can lead to unauthorized actions, data exfiltration, or session hijacking, depending on the attacker's goals and the victim's privileges [1].
Mitigation
OTRS has released updates to address this vulnerability. Affected users should upgrade to OTRS 7.0.7 or later, Community Edition 5.0.36 or later, or Community Edition 6.0.18 or later. As of the publication date, no workaround is documented. Note that OTRS Community Edition 6.x is end-of-life and no longer receives official security fixes [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- OTRS/Open Ticket Request Systemdescription
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisoryx_refsource_SUSE
- community.otrs.com/security-advisory-2019-05-security-update-for-otrs-framework/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.