CVE-2023-5421

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-5421

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5421.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-5421

Downstream

UBUNTU-CVE-2023-5421

Published

2023-10-16T09:15:11.940Z

Modified

2026-03-14T12:23:16.996603Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

References

https://otrs.com/release-notes/otrs-security-advisory-2023-09/

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5421.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "6.0.0"
            },
            {
                "last_affected": "6.0.34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "7.0.0"
            },
            {
                "fixed": "7.0.47"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "8.0.0"
            },
            {
                "fixed": "8.0.37"
            }
        ]
    }
]