CVE-2016-9139 Otrs CVE debrief

Who should care

OTRS administrators, help desk and support teams that process attachments, and security teams responsible for web application patching and content handling controls.

Technical summary

NVD classifies the flaw as CWE-79 (cross-site scripting). The supplied CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attackability, low complexity, no privileges required, and a user interaction requirement. The issue is described as allowing remote attackers to inject arbitrary web script or HTML via a crafted attachment. Affected versions listed in the record are OTRS 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14.

Defensive priority

Medium. The published CVSS score is 6.1, and the flaw can affect confidentiality and integrity when users interact with a malicious attachment, but it requires user interaction and does not indicate availability impact.

Recommended defensive actions

• Upgrade OTRS to 3.3.16, 4.0.19, or 5.0.14 or later, depending on the deployed branch.
• Review any workflows that allow users to upload, preview, or open attachments in OTRS.
• Treat attachments from untrusted sources as potentially hostile and limit preview/rendering features where possible.
• Apply defensive web controls such as output encoding and strict content handling for uploaded files.
• Validate that your asset inventory includes all OTRS instances and confirms the fixed version is deployed.
• Monitor for unusual script execution or HTML injection behavior in ticket views involving attachments.

Evidence notes

The vulnerability description, affected version ranges, CVSS vector, and CWE mapping come from the supplied NVD record. The supplied source metadata also links to a vendor advisory from OTRS and a SecurityFocus reference, supporting that this is a publicly disclosed OTRS issue. Timing in this debrief uses the supplied CVE published date of 2017-02-17; the 2026 modified date is not treated as the issue date.

Official resources