Remove stored XSS


  • Used Zammad version: 3.1.x
  • Used Zammad installation type: package
  • Operating system: CentOS7
  • Browser + version: any

Steps to reproduce the behavior:

  • We have an old installation of Zammad 3.1.x (package-install CentOS7)
    That was vulnerable to stored XSS via a custom Avatar CVE-2021-42085.
    We follow the Security Advisory ZAA-2021-17 and update to the latest versions of Zammad 5.0.x.
    No more new XSS via a custom Avatar can be stored (tested).
    But the previous XSS can still be triggered (samples from pen-testing).
    How to find and delete all possible Stored XSS.

Duplicate of Clean up stored XSS and therefor closed.