24419 2010-10-25 15:56:54 +0400 AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails 2010-10-29 09:26:17 +0400 1 1 4 Development Sisyphus otrs unstable all Linux CLOSED FIXED http://otrs.org/advisory/OSA-2010-03-en/ security P3 blocker --- 1 crux asy asy zidex qa-sisyphus oldest_to_newest 114247 0 crux 2010-10-25 15:56:54 +0400 Whenever a customer sends an HTML e-mail and RichText is enabled in OTRS, javascript contained in the email can do everything in the OTRS agent interface that the agent himself could do. Most relevant is that this type of exploit can be used in such a way that the agent won't even detect he is being exploited. Affected by this vulnerability are all releases of OTRS 2.4.x up to and including 2.4.8. This vulnerability is fixed in OTRS 2.4.9. 114265 1 repository-robot 2010-10-25 21:36:37 +0400 otrs-2.4.9-alt1 -> sisyphus: * Mon Oct 25 2010 Pavel Zilke <zidex at altlinux> 2.4.9-alt1 - Security fixes: + AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails; OSA-2010-03 (ALT #24419)