{"api_version":"1","generated_at":"2026-04-23T01:33:34+00:00","cve":"CVE-2023-38057","urls":{"html":"https://cve.report/CVE-2023-38057","api":"https://cve.report/api/cve/CVE-2023-38057.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-38057","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-38057"},"summary":{"title":"CVE-2023-38057","description":"An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.\nThis issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.","state":"PUBLIC","assigner":"security@otrs.com","published_at":"2023-07-24 09:15:00","updated_at":"2023-08-04 18:48:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2023-06/","name":"https://otrs.com/release-notes/otrs-security-advisory-2023-06/","refsource":"MISC","tags":[],"title":"OTRS Security Advisory 2023-06 | OTRS","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38057","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38057","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"38057","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38057","vulnerable":"1","versionEndIncluding":"6.0.22","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38057","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"survey","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38057","vulnerable":"1","versionEndIncluding":"6.0.22","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"survey","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-38057","ASSIGNER":"security@otrs.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent.\nThis issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation","cweId":"CWE-20"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"OTRS AG","product":{"product_data":[{"product_name":"OTRS","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"lessThan":"7.0.32","status":"affected","version":"7.0.x","versionType":"Patch"},{"lessThan":"8.0.13","status":"affected","version":"8.0.x","versionType":"Patch"}],"defaultStatus":"affected"}}]}},{"product_name":"((OTRS)) Community Edition","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"lessThanOrEqual":"6.0.22","status":"affected","version":"6.0.x","versionType":"All"}],"defaultStatus":"affected"}}]}}]}}]}},"references":{"reference_data":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2023-06/","refsource":"MISC","name":"https://otrs.com/release-notes/otrs-security-advisory-2023-06/"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"advisory":"OSA-2023-06","defect":["Issue#769","Ticket#2023020942001367"],"discovery":"EXTERNAL"},"configuration":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Free text answers have to be used<br>"}],"value":"Free text answers have to be used\n"}],"solution":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\nUpdate Survey package to version 8.0.13 or 7.0.32\n<br>"}],"value":"Update Survey package to version 8.0.13 or 7.0.32\n\n"}],"credits":[{"lang":"en","value":"Special thanks to  Daniel Mizael, Raphael Fiorin and Marcelo Makotofrom for reporting these vulnerability."}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.1,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-07-24 09:15:00","lastModifiedDate":"2023-08-04 18:48:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:survey:*:*:*:*:community:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.0.22","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:survey:*:*:*:*:-:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.32","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:survey:*:*:*:*:-:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.13","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}