Possible XSS in Customer user address book
Description
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSS vulnerability in OTRS allows an attacker to craft an article with a malicious link; when an agent opens it, arbitrary JavaScript executes due to missing parameter encoding.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the customer address book of OTRS Community Edition 6.0.26 and prior, and OTRS 7.0.15 and prior [1]. An attacker can craft an article containing a link to the customer address book with malicious JavaScript content. The vulnerability is caused by missing parameter encoding, allowing the injected script to be executed when the link is opened [1].
Exploitation
To exploit, the attacker must have access to create or modify articles in OTRS (i.e., be an authenticated user with appropriate permissions). The attacker embeds a crafted link containing JavaScript in an article. When an agent (typically a helpdesk staff member) opens that article and clicks the malicious link, the script executes in the agent's browser session [1]. No further user interaction required besides clicking the link.
Impact
Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim agent's OTRS session. This can result in limited information disclosure (e.g., reading of session tokens or interface data) and limited manipulation of the interface (e.g., modifying displayed content) [1]. The CVSS vector indicates a medium severity with LOW impact on confidentiality and integrity, and NO impact on availability [1].
Mitigation
The issue is fixed in OTRS 7.0.16 and OTRS Community Edition 6.0.27 [1]. Administrators should upgrade to these patched versions immediately. No workarounds are mentioned in the available references. The fix is tracked as commit 2576830053f70a3a9251558e55f34843dec61aa2 for the Community Edition [1]. CVE-2020-1771 is not listed on the CISA KEV catalogue as of the advisory publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: <=6.0.26
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- OTRS AG/((OTRS)) Community Editionv5Range: 6.0.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- otrs.com/release-notes/otrs-security-advisory-2020-08/mitre
News mentions
0No linked articles in our index yet.