hanneshal
commented
3 years ago Hi,
Yes. The chances are good, that we are affected by this. We did not managed to create a valid XSS in the ticket zoom view or other views which quote the E-Mail content.
The CVE is pretty vague about where and what and there are no information about this to the community from OTRS itself.
We modified the link detection logic for some special cases, but did not linked this to the CVE due to a missing example.
So without any more details about this or someone who can at least send a sample mail, we are not able to solve this here.
regards Johannes
carnil
In the recent update CVE-2021-36091, CVE-2021-21440 and CVE-2021-21443 were addressed.
There is https://otrs.com/release-notes/otrs-security-advisory-2021-15/ for the OTRS version, which is said to:
Does this issue affect as well Znuny, is more known about it?