CVE-2019-9752
Description
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OTRS 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4 allow stored XSS via crafted file upload due to Content-type mishandling in PictureUpload.pm.
Vulnerability
The vulnerability exists in the PictureUpload.pm module of OTRS. By uploading a carefully crafted resource, an attacker can cause execution of JavaScript in the OTRS context. This is due to mishandling of the Content-type header. Affected versions are OTRS 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4 [1].
Exploitation
An attacker must be logged into OTRS as an agent or a customer user. They can then upload a crafted file with a malicious Content-type that leads to JavaScript execution when the file is processed.
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of OTRS, potentially leading to session hijacking, data theft, or other client-side attacks.
Mitigation
Upgrade to OTRS 5.0.34, 6.0.16, 7.0.4 or later. The OTRS community edition 6.x is end-of-life and no longer receives security updates; users should migrate to a supported version [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisoryx_refsource_SUSE
- community.otrs.com/security-advisory-2019-01-security-update-for-otrs-frameworkmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/03/msg00023.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.