Few days ago I found a pretty cool site - TurnKeyLinux. You will find there ready-to-go, pre-installed webapps. I decided to findout if there is also OTRS ready to check... Few notes below.
Version I found at TurnKey's webpage was (AFAIR) 3.3.9. During your 'blackbox testing' you'll probably see that there are multiple XSS bugs. This is how I found "few of them":
Response should be similar to the one below:
Because I found that there are also some other bugs, I decide to check it in other way:
I don't think that this is the 'latest available version', so probably all of those bugs are already patched.
Anyway, stay secure ;)