Mandriva Linux Security Advisory 2014-054 - An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed.
f38f3c4f647137a682ee49e87b9dc2300c3024b6fee14b54fa964b479ebcf01d