CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24387 – Missing CSRF protection
https://notcve.org/view.php?id=CVE-2025-24387
10 Mar 2025 — A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.x • https://otrs.com/release-notes/otrs-security-advisory-2025-05 • CWE-1275: Sensitive Cookie with Improper SameSite Attribute •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24390 – Missing Cookie Flags
https://notcve.org/view.php?id=CVE-2025-24390
27 Jan 2025 — A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X • https://otrs.com/release-notes/otrs-security-advisory-2025-04 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24389 – SMTP Password will be shown in cleartext on some SMTP errors
https://notcve.org/view.php?id=CVE-2025-24389
27 Jan 2025 — Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-03 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43446 – Improper check of permissions in Generic Interface
https://notcve.org/view.php?id=CVE-2024-43446
27 Jan 2025 — An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-02 • CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43445 – Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing
https://notcve.org/view.php?id=CVE-2024-43445
27 Jan 2025 — A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-01 • CWE-20: Improper Input Validation •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43444 – Passwords are written to Admin Log Module
https://notcve.org/view.php?id=CVE-2024-43444
26 Aug 2024 — Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2024-12 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23794 – Agents are able to lock the ticket without the "Owner" permission
https://notcve.org/view.php?id=CVE-2024-23794
15 Jul 2024 — An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: * 8.0.X * 2023.X * from 2024.X through 2024.4.x Una vulnerabilidad de asignación d... • https://otrs.com/release-notes/otrs-security-advisory-2024-06 • CWE-266: Incorrect Privilege Assignment •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6540 – Information exlosure in external interface
https://notcve.org/view.php?id=CVE-2024-6540
15 Jul 2024 — Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x Un filtrado inadecuado de los campos al utilizar la función de exportación en la descripción general de tickets ... • https://otrs.com/release-notes/otrs-security-advisory-2024-07 • CWE-790: Improper Filtering of Special Elements •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23793 – Upload of files outside application directory
https://notcve.org/view.php?id=CVE-2024-23793
06 Jun 2024 — The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. La función de carga de archivos en OTRS y ((OTRS)) C... • https://otrs.com/release-notes/otrs-security-advisory-2024-05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23790 – Missing file type check in avatar picture upload
https://notcve.org/view.php?id=CVE-2024-23790
29 Jan 2024 — Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1. Una vulnerabilidad de validación de entrada incorrecta en la funcionalidad de carga de avatares de usuarios permite un mal uso de la funcionalidad debido a la falta de verificación de los tipos de archivos. Este problema afecta a OTRS: desde 7.0.X hasta 7.0... • https://otrs.com/release-notes/otrs-security-advisory-2024-01 • CWE-20: Improper Input Validation CWE-354: Improper Validation of Integrity Check Value •