Description
A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter
Published: 2026-03-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (script injection)
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting vulnerability is present in Znuny::ITSM 6.5.x within the customer.pl endpoint when the OTRSCustomerInterface parameter is used. The flaw allows an attacker to embed malicious JavaScript into the page without proper input sanitization. If executed in a victim's browser, the script could read cookies, hijack sessions, or perform actions on behalf of the user, thereby compromising confidentiality and integrity of user accounts and potentially allowing further attacks.

Affected Systems

The affected product is Znuny::ITSM 6.5.x, as noted in the advisory. No earlier or later version information is available, so all releases within the 6.5.x series should be treated as vulnerable until an update is released by the developers.

Risk and Exploitability

The vulnerability scores CVSS 6.1 with an EPSS of less than 1%, indicating low current exploitation probability. It is not listed in the CISA KEV catalog. Because the flaw is accessed via HTTP requests to the customer.pl page, any user with web access could attempt exploitation. While the current threat level is moderate, administrators should patch or apply mitigations promptly.

Generated by OpenCVE AI on March 24, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor provided patch or upgrade to a newer version once available
  • If no patch is available, escape or encode the OTRSCustomerInterface parameter before rendering the page or disable the parameter entirely
  • Restrict access to the customer.pl endpoint to known IP ranges or authenticated users when possible
  • Monitor application logs for anomalous input or repeated XSS attempt patterns

Generated by OpenCVE AI on March 24, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Znuny::ITSM 6.5.x Customer Interface

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Znuny
Znuny znuny
Vendors & Products Znuny
Znuny znuny

Mon, 23 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter
References

Subscriptions

Znuny Znuny
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-26T15:41:32.617Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-52204

cve-icon Vulnrichment

Updated: 2026-03-24T15:01:13.680Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T20:16:23.263

Modified: 2026-03-26T16:16:04.410

Link: CVE-2025-52204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:05Z

Weaknesses