CVE-2007-2524 - OpenCVE

Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Otrs	Otrs

Configuration 1 [-]

cpe:2.3:a:otrs:otrs:2.0.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/35821
http://osvdb.org/35822
http://secunia.com/advisories/25205
http://secunia.com/advisories/25419
http://secunia.com/advisories/25787
http://securityreason.com/securityalert/2668
http://www.debian.org/security/2007/dsa-1298
http://www.novell.com/linux/security/advisories/2007_13_sr.html
http://www.securityfocus.com/archive/1/467870/100/0/threaded
http://www.securityfocus.com/archive/1/471192/100/0/threaded
http://www.securityfocus.com/bid/23862
http://www.virtuax.be/?page=library&id=35&type=Exploits
http://www.vupen.com/english/advisories/2007/1698
https://exchange.xforce.ibmcloud.com/vulnerabilities/34164

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-05-08T23:00:00

Updated: 2024-08-07T13:42:33.180Z

Reserved: 2007-05-08T00:00:00

Link: CVE-2007-2524

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-05-08T23:19:00.000

Modified: 2018-10-16T16:44:24.227

Link: CVE-2007-2524

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-05-07T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2007-1698", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/1698"}, {"tags": ["x_refsource_MISC"], "url": "http://www.virtuax.be/?page=library&id=35&type=Exploits"}, {"name": "20070611 Re: [SECURITY] [DSA 1299-1] New ipsec-tools packages fix denial ofservice", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/471192/100/0/threaded"}, {"name": "otrs-indexpl-xss(34164)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34164"}, {"name": "23862", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/23862"}, {"name": "25205", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25205"}, {"name": "35822", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/35822"}, {"name": "DSA-1298", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2007/dsa-1298"}, {"name": "2668", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2668"}, {"name": "SUSE-SR:2007:013", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"name": "20070507 OTRS <= 2.0.x XSS/XSRF", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/467870/100/0/threaded"}, {"name": "25787", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25787"}, {"name": "25419", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25419"}, {"name": "35821", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/35821"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-2524", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2007-1698", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/1698"}, {"name": "http://www.virtuax.be/?page=library&id=35&type=Exploits", "refsource": "MISC", "url": "http://www.virtuax.be/?page=library&id=35&type=Exploits"}, {"name": "20070611 Re: [SECURITY] [DSA 1299-1] New ipsec-tools packages fix denial ofservice", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/471192/100/0/threaded"}, {"name": "otrs-indexpl-xss(34164)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34164"}, {"name": "23862", "refsource": "BID", "url": "http://www.securityfocus.com/bid/23862"}, {"name": "25205", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25205"}, {"name": "35822", "refsource": "OSVDB", "url": "http://osvdb.org/35822"}, {"name": "DSA-1298", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2007/dsa-1298"}, {"name": "2668", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2668"}, {"name": "SUSE-SR:2007:013", "refsource": "SUSE", "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"name": "20070507 OTRS <= 2.0.x XSS/XSRF", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/467870/100/0/threaded"}, {"name": "25787", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25787"}, {"name": "25419", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25419"}, {"name": "35821", "refsource": "OSVDB", "url": "http://osvdb.org/35821"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T13:42:33.180Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2007-1698", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/1698"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.virtuax.be/?page=library&id=35&type=Exploits"}, {"name": "20070611 Re: [SECURITY] [DSA 1299-1] New ipsec-tools packages fix denial ofservice", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/471192/100/0/threaded"}, {"name": "otrs-indexpl-xss(34164)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34164"}, {"name": "23862", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/23862"}, {"name": "25205", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25205"}, {"name": "35822", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/35822"}, {"name": "DSA-1298", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2007/dsa-1298"}, {"name": "2668", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2668"}, {"name": "SUSE-SR:2007:013", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"name": "20070507 OTRS <= 2.0.x XSS/XSRF", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/467870/100/0/threaded"}, {"name": "25787", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25787"}, {"name": "25419", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25419"}, {"name": "35821", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/35821"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-2524", "datePublished": "2007-05-08T23:00:00", "dateReserved": "2007-05-08T00:00:00", "dateUpdated": "2024-08-07T13:42:33.180Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "5386B686-3421-4F4E-AC5E-6567FE12E03B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Request System (OTRS) 2.0.x allows remote attackers to inject arbitrary web script or HTML via the Subaction parameter in an AgentTicketMailbox Action. NOTE: DEBIAN:DSA-1299 originally used this identifier for an ipsec-tools issue, but the proper identifier for the ipsec-tools issue is CVE-2007-1841."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo index.pl en Open Ticket Request System (OTRS) versi\u00f3n 2.0.x, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro Subaction en una acci\u00f3n AgentTicketMailbox. NOTA: DEBIAN: DSA-1299 originalmente us\u00f3 este identificador para un problema de ipsec-tools, pero el identificador adecuado para el problema de ipsec-tools es CVE-2007-1841."}], "id": "CVE-2007-2524", "lastModified": "2018-10-16T16:44:24.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2007-05-08T23:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/35821"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/35822"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25205"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25419"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/25787"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2668"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2007/dsa-1298"}, {"source": "cve@mitre.org", "url": "http://www.novell.com/linux/security/advisories/2007_13_sr.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/467870/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/471192/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/23862"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.virtuax.be/?page=library&id=35&type=Exploits"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/1698"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34164"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}