OTRS versions 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 suffer from a persistent cross site scripting vulnerability.
2e3f4aa9bd8270be5647e928e03c289520cddaae59e541df172d313c213650b7
Mandriva Linux Security Advisory 2014-054 - An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed.
f38f3c4f647137a682ee49e87b9dc2300c3024b6fee14b54fa964b479ebcf01d