====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN419
____________________________________________________________________

DATE                :  19/10/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running OTRS Help Desk versions 2.4.x,
                        3.0.x, 3.1.x prior to 2.4.15, 3.0.17, 3.1.11.

======================================================================
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
______________________________________________________________________

Security Advisory 2012-03

Oktober 16, 2012 -- Please read carefully and check if the version of
your OTRS system is affected by this vulnerability.


Security Advisory Details

    Date: Oct. 16, 2012
    Title: XSS vulnerability
    Severity: Low (Overall CVSS Score: 3.9)
    Affected:
        OTRS Help Desk 2.4.x
        OTRS Help Desk 3.0.x
        OTRS Help Desk 3.1.x
    Fixed in:
        OTRS 2.4.15, 3.0.17, 3.1.11

    FULL CVSS v2 VECTOR:
AV:N/AC:L/AU:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

    References:
        CVE-2012-4751
        VU#603276


Vulnerability Description

This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your browser while displaying the
email. In this case this is achieved by using javascript source
attributes with whitespaces.

Affected by this vulnerability are all releases of OTRS 2.4.x up to and
including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to and
including 3.1.10.




Recommended Resolution

This vulnerability is fixed in OTRS 2.4.15, 3.0.17 and 3.1.11, and it
is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at:
http://www.otrs.com/open-source/community-news/releases-notes/

You can also replace the following files with a fixed version, which
are available at http://source.otrs.org/

OTRS 3.1.x:

    Kernel/System/HTMLUtils.pm 1.35.2.4

OTRS 3.0.x:

    Kernel/System/HTMLUtils.pm 1.27.2.6

OTRS 2.4.x:

    Kernel/Modules/CustomerTicketAttachment.pm 1.17.2.8
    Kernel/Modules/AgentTicketAttachment.pm 1.22.2.8


For OTRS versions older than 3.0.12, you also need to update
AgentTicketZoom.pm. This is because of bugfix #7005 in 3.0.12, where
both files (.pm and .dtl) were affected.

So please update the .pm file to: AgentTicketZoom.pm 1.145.2.5, which
is available at
http://source.otrs.org/viewvc.cgi/otrs/Kernel/Module/AgentTicketZoom.pm?revision=1.145.2.5&view=markup&pathrev=rel-3_0

However, to avoid unwanted side effects, we recommend a complete
update.

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================