CVE-2023-38057— XSS stored in survey answers
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-38057
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XSS stored in survey answers
Source: NVD (National Vulnerability Database)
Vulnerability Description
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
OTRS 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OTRS是德国OTRS公司的一个应用软件。一个服务管理软件。 OTRS 7.0.32之前的7.0.X版本和8.0.13之前的8.0.X版本存在安全漏洞,该漏洞源于存在不正确的输入验证漏洞,攻击者可以在自由文本答案中注入javascript代码,进行跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| OTRS AG | OTRS | 7.0.x ~ 7.0.32 | - | |
| OTRS AG | ((OTRS)) Community Edition | 6.0.x ~ 6.0.22 | - |
II. Public POCs for CVE-2023-38057
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-38057
请登录查看更多情报信息。
Other References for CVE-2023-38057 (1)
Same Patch Batch · OTRS AG · 2023-07-24 · 4 CVEs total
| CVE-2023-38056 | 7.2 HIGH | Code execution via System Configuration |
| CVE-2023-38060 | 6.3 MEDIUM | Host header injection by attachments in web service |
| CVE-2023-38058 | 4.1 MEDIUM | Tickets can be moved without permissions |
IV. Related Vulnerabilities
Same weakness: CWE-20
- CVE-2026-26147
Azure Stack HCI Information Disclosure Vulnerability - CVE-2026-40411
Azure Virtual Network Gateway Remote Code Execution Vulnerab - CVE-2026-3294
Authentication Logic Vulnerability on Multiple TP-Link Range - CVE-2026-34207
TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames i - CVE-2026-44417
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS
V. Comments for CVE-2023-38057
No comments yet