CVE-2025-52204

A reflected Cross-Site Scripting (XSS) vulnerability exists in Znuny (formerly OTRS) in the customer.pl endpoint. The flaw arises because the OTRSCustomerInterface parameter (or the parameter defined by the CustomerPanelSessionName system configuration) is not properly sanitized before being reflected in the HTTP response. This allows an attacker to inject arbitrary HTML or JavaScript into the page returned to the victim [2].

Exploitation requires no authentication and can be performed remotely by sending a crafted GET request to the public customer-facing interface. The attacker only needs to lure a victim into clicking a malicious link or visiting a crafted URL. The vulnerability has been confirmed in Znuny LTS 6.5.10 and Znuny 7.1.3, and observed in the wild on versions ranging from 6.5.9 to 6.5.18 and 7.0.11 to 7.2.3 [2].

Successful exploitation allows an unauthenticated remote attacker to inject arbitrary HTML or JavaScript into the response, manipulate the customer-facing login interface, display deceptive or phishing-style content, redirect users to attacker-controlled resources, or execute script in the victim's browser within the context of the affected application [2].

As of the publication date, no official patch has been announced for this specific CVE. Users are advised to apply input validation and output encoding for the affected parameter, or upgrade to a version that includes a fix if one becomes available. The Znuny project maintains LTS releases and may address this in a future update [1][2].