Bug 1213597 (CVE-2023-38057)

Summary: VUL-0: CVE-2023-38057: otrs: improper input validation vulnerability in Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Wolfgang Engel <wolfgang.engel>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: dmueller
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373292/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-24 12:23:15 UTC 
CVE-2023-38057

An improper input validation vulnerability in OTRS Survey modules allows any
attacker with a link to a valid and unanswered survey request to inject
javascript code in free text answers. This allows a cross site scripting attack
while reading the replies as authenticated agent.
This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X
before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through
6.0.22.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38057
https://www.cve.org/CVERecord?id=CVE-2023-38057
https://otrs.com/release-notes/otrs-security-advisory-2023-06/
Comment 1 Robert Frohl 2023-07-24 12:25:24 UTC 
recent openSUSE:Backports:* on 6.0.30.

closing.