{"id":"CVE-2019-9752","details":"An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Modules/PictureUpload.pm.","modified":"2026-03-12T23:34:27.141790Z","published":"2019-03-13T22:29:00.660Z","related":["openSUSE-SU-2020:0551-1","openSUSE-SU-2020:1475-1","openSUSE-SU-2020:1509-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html"},{"type":"FIX","url":"https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9752.json","unresolved_ranges":[{"events":[{"introduced":"5.0.0"},{"fixed":"5.0.34"}]},{"events":[{"introduced":"6.0.0"},{"fixed":"6.0.16"}]},{"events":[{"introduced":"7.0.0"},{"fixed":"7.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0-sp1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0-sp2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}