Am 03.11.2016 um 19:48 schrieb Salvatore Bonaccorso: > Source: otrs2 > Version: 3.3.9-1 > Severity: important > Tags: security upstream fixed-upstream > > Hi, > > the following vulnerability was published for otrs2. > > CVE-2016-9139[0]: > |An attacker could trick an authenticated agent or customer into opening > |a malicious attachment which could lead to the execution of JavaScript > |in OTRS context > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-9139 > [1] https://www.otrs.com/security-advisory-2016-02-security-update-otrs/ > > Please adjust the affected versions in the BTS as needed. >
Hi, yeah already saw it and stable is affected also. Upstream says the severity is low and I also would say IMHO that this is no candidate for a jessie security update. What do you think?
