Znuny ITSM Cross-Site Scripting Vulnerability in Customer.pl Endpoint

A Cross-Site Scripting (XSS) vulnerability has been identified in Znuny ITSM versions 6.5.x, 7.0.11, and 7.2.x. The vulnerability resides in the customer.pl endpoint, where the OTRSCustomerInterface parameter can be manipulated to inject arbitrary HTML or JavaScript. This issue allows attackers to alter the customer-facing login interface, display deceptive content, redirect users to malicious sites, and execute scripts in the context of the affected application.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting, where injected scripts are executed in the victim's browser within the context of the application.

Reproduction

The vulnerability can be reproduced by sending a crafted GET request to the customer.pl endpoint with a payload injected into the OTRSCustomerInterface parameter. This can be done on Znuny ITSM versions 6.5.9, 7.1.3, 7.0.11, and 7.2.x.

Remediation

Users are advised to upgrade to Znuny LTS 6.5.19 or Znuny 7.3.1, where this vulnerability has been fixed.