Bug 1213597 (CVE-2023-38057) - VUL-0: CVE-2023-38057: otrs: improper input validation vulnerability in Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers
Summary: VUL-0: CVE-2023-38057: otrs: improper input validation vulnerability in Surve...
Status: RESOLVED INVALID
Alias: CVE-2023-38057
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Wolfgang Engel
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/373292/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-24 12:23 UTC by Robert Frohl
Modified: 2023-07-24 12:25 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-07-24 12:23:15 UTC 
CVE-2023-38057

An improper input validation vulnerability in OTRS Survey modules allows any
attacker with a link to a valid and unanswered survey request to inject
javascript code in free text answers. This allows a cross site scripting attack
while reading the replies as authenticated agent.
This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X
before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through
6.0.22.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38057
https://www.cve.org/CVERecord?id=CVE-2023-38057
https://otrs.com/release-notes/otrs-security-advisory-2023-06/
Comment 1 Robert Frohl 2023-07-24 12:25:24 UTC 
recent openSUSE:Backports:* on 6.0.30.

closing.