nvd-json-data-feeds/CVE-2020/CVE-2020-17xx/CVE-2020-1771.json

{
  "id": "CVE-2020-1771",
  "sourceIdentifier": "security@otrs.com",
  "published": "2020-03-27T13:15:15.333",
  "lastModified": "2023-08-31T03:15:11.237",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions."
    },
    {
      "lang": "es",
      "value": "Un atacante es capaz de dise\u00f1ar un art\u00edculo con un enlace hacia la libreta de direcciones del cliente con contenido malicioso (JavaScript). Cuando el agente abre el enlace, el c\u00f3digo JavaScript es ejecutado debido a la falta de codificaci\u00f3n de par\u00e1metros. Este problema afecta a: ((OTRS)) Community Edition: versiones 6.0.26 y anteriores. OTRS: versiones 7.0.15 y anteriores."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7
      },
      {
        "source": "security@otrs.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 2.5
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.5
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    },
    {
      "source": "security@otrs.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*",
              "versionStartIncluding": "5.0.0",
              "versionEndIncluding": "5.0.41",
              "matchCriteriaId": "D59B7180-350C-4CB2-82F6-DE65E13AEED9"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*",
              "versionStartIncluding": "6.0.0",
              "versionEndIncluding": "6.0.26",
              "matchCriteriaId": "0EF80E5E-ED59-4BEE-9EBF-34485DCABED1"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "7.0.0",
              "versionEndIncluding": "7.0.15",
              "matchCriteriaId": "57789F0A-B1F9-4E57-BA71-5558A285D1CA"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html",
      "source": "security@otrs.com",
      "tags": [
        "Broken Link"
      ]
    },
    {
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html",
      "source": "security@otrs.com",
      "tags": [
        "Broken Link"
      ]
    },
    {
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html",
      "source": "security@otrs.com",
      "tags": [
        "Broken Link"
      ]
    },
    {
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html",
      "source": "security@otrs.com"
    },
    {
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-08/",
      "source": "security@otrs.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}