CVE-2019-16375
Description
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent composes an answer to the original article.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in OTRS allows an authenticated agent or customer user to inject malicious JavaScript into article bodies, executing when another agent replies.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the article body handling of the Open Ticket Request System (OTRS). In affected versions, an authenticated user with appropriate permissions can craft an article body containing malicious JavaScript code. This code is stored and later executed when an agent composes an answer to that original article. Affected versions are OTRS 7.0.x through 7.0.11, Community Edition 6.0.x through 6.0.22, and Community Edition 5.0.x through 5.0.37 [1][2].
Exploitation
An attacker must be logged in as an agent or customer user and possess the necessary permissions to create or modify ticket articles. The attacker then inserts a carefully crafted string containing malicious JavaScript into the article body. When another agent subsequently composes an answer to that article (for example, by clicking "Reply"), the malicious script executes in the agent's browser session [2]. No additional user interaction beyond the standard reply workflow is required.
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim agent's OTRS session. This could enable actions such as performing unauthorized operations with the agent's privileges, accessing sensitive ticket data, or modifying ticket content. The CVSS v3 base score is 3.2 (Low), with a vector of AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, indicating low impact to integrity only, within a single user scope [2].
Mitigation
The vulnerability is fixed in OTRS 7.0.12, OTRS 6.0.23, and OTRS 5.0.38, released on 2019-09-03 [2]. Users of supported versions should upgrade immediately. For OTRS 6.0.x Community Edition, note that version 6.0.x is end-of-life and no longer receives official security fixes; OTRS strongly recommends migrating to the current OTRS product [1]. No other workarounds are disclosed in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- OTRS/Open Ticket Request Systemdescription
- Range: >=7.0.0 <=7.0.11, >=5.0.0 <=5.0.37, >=6.0.0 <=6.0.22
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- community.otrs.com/category/security-advisories-en/mitre
- otrs.com/release-notes/otrs-security-advisory-2019-13/mitre
News mentions
0No linked articles in our index yet.