CVE-2021-36094 (GCVE-0-2021-36094)
Vulnerability from cvelistv5
Published
2021-09-06 13:15
Modified
2024-09-16 19:09
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
CWE
  • CWE-79 - Cross-site Scripting (XSS)
Summary
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
References
Impacted products
Vendor Product Version
OTRS AG ((OTRS)) Community Edition Version: 6.0.1   < 6.0.x*
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:47:43.810Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-17/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "((OTRS)) Community Edition",
          "vendor": "OTRS AG",
          "versions": [
            {
              "lessThan": "6.0.x*",
              "status": "affected",
              "version": "6.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "OTRS",
          "vendor": "OTRS AG",
          "versions": [
            {
              "lessThanOrEqual": "7.0.28",
              "status": "affected",
              "version": "7.0.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-09-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It\u0027s possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-06T13:15:25",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-17/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to OTRS 7.0.29."
        }
      ],
      "source": {
        "advisory": "OSA-2021-17",
        "defect": [
          "2021062442001352"
        ],
        "discovery": "USER"
      },
      "title": "XSS attack in appointment edit popup screen",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@otrs.com",
          "DATE_PUBLIC": "2021-09-06T00:00:00.000Z",
          "ID": "CVE-2021-36094",
          "STATE": "PUBLIC",
          "TITLE": "XSS attack in appointment edit popup screen"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "((OTRS)) Community Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_name": "6.0.x",
                            "version_value": "6.0.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "OTRS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "7.0.x",
                            "version_value": "7.0.28"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OTRS AG"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It\u0027s possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://otrs.com/release-notes/otrs-security-advisory-2021-17/",
              "refsource": "CONFIRM",
              "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-17/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to OTRS 7.0.29."
          }
        ],
        "source": {
          "advisory": "OSA-2021-17",
          "defect": [
            "2021062442001352"
          ],
          "discovery": "USER"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2021-36094",
    "datePublished": "2021-09-06T13:15:25.712091Z",
    "dateReserved": "2021-07-01T00:00:00",
    "dateUpdated": "2024-09-16T19:09:09.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-36094\",\"sourceIdentifier\":\"security@otrs.com\",\"published\":\"2021-09-06T14:15:07.257\",\"lastModified\":\"2024-11-21T06:13:08.777\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It\u0027s possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.\"},{\"lang\":\"es\",\"value\":\"Es posible dise\u00f1ar una petici\u00f3n para la pantalla de edici\u00f3n de citas, lo que podr\u00eda conllevar a un ataque de tipo XSS. Este problema afecta a: OTRS AG ((OTRS)) Community Edition versi\u00f3n 6.0.x, versi\u00f3n 6.0.1 y versiones posteriores. OTRS AG OTRS versi\u00f3n 7.0.x, versi\u00f3n 7.0.28 y versiones anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"6.0.1\",\"matchCriteriaId\":\"3B2D503B-661B-43EC-9902-D0613A037AA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.29\",\"matchCriteriaId\":\"336DCF0F-236B-46A0-A112-A201F9B6014D\"}]}]}],\"references\":[{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2021-17/\",\"source\":\"security@otrs.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2021-17/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.