Scan free
LOWCVE-2022-0475CVSS 3.5

CVE-2022-0475: XSS in OTRS ≤8.0.19

Platform

otrs

Component

otrs

Fixed in

unknown

unknown

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2022-0475 describes a Cross-Site Scripting (XSS) vulnerability discovered in OTRS. An attacker, specifically a malicious translator, can inject JavaScript code into translatable strings where HTML is permitted. This injected code could then be executed within the Package manager, potentially leading to unauthorized actions or data theft. This vulnerability impacts OTRS versions 7.0.x prior to 7.0.32 and 8.0.x prior to 8.0.19. A patch is available to resolve this issue.

Impact and Attack Scenarios

The primary impact of CVE-2022-0475 is the potential for arbitrary JavaScript execution within the OTRS Package manager. A successful exploit could allow an attacker to steal sensitive data, modify system configurations, or even gain control of the OTRS instance. Given that OTRS is often used for customer service and support, this could expose customer data, internal communications, and other confidential information. The ability to execute code within the Package manager significantly expands the attack surface, potentially allowing for persistent backdoors or further exploitation of the system. While the CVSS score is LOW, the potential for data compromise and system manipulation warrants immediate attention.

Exploitation Context

CVE-2022-0475 was publicly disclosed on March 21, 2022. No known active exploitation campaigns have been reported at the time of writing. There are currently no public proof-of-concept exploits available. The vulnerability has not been added to the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but proactive mitigation is still recommended.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.31% (54% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentotrs
VendorOTRS AG
Affected rangeFixed in
7.0.0 – 7.0.32unknown
8.0.0 – 8.0.19unknown

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 1525 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2022-0475 is to upgrade to a patched version of OTRS. OTRS AG has released updates to address this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Review and restrict the ability for translators to inject HTML into translatable strings. Implement strict input validation and output encoding to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) to filter out malicious JavaScript payloads. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a translatable string and verifying that it is not executed.

How to fix

Actualice OTRS a una versión posterior a 7.0.32 o 8.0.19, según corresponda, para corregir la vulnerabilidad XSS. Consulte el advisory de seguridad de OTRS para obtener más detalles e instrucciones específicas de actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-0475 — XSS in OTRS ≤8.0.19?

CVE-2022-0475 is a Cross-Site Scripting (XSS) vulnerability affecting OTRS versions 7.0.x (≤7.0.32) and 8.0.x (≤8.0.19). It allows malicious translators to inject JavaScript code.

Am I affected by CVE-2022-0475 in OTRS?

You are affected if you are running OTRS versions 7.0.x prior to 7.0.32 or 8.0.x prior to 8.0.19.

How do I fix CVE-2022-0475 in OTRS?

Upgrade to a patched version of OTRS. Check the official OTRS advisory for the latest available fix.

Is CVE-2022-0475 being actively exploited?

No active exploitation campaigns have been reported at this time, but proactive mitigation is still recommended.

Where can I find the official OTRS advisory for CVE-2022-0475?

Refer to the official OTRS security advisory for detailed information and patch instructions: https://otrs.com/security-advisories/

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs