CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24391 – Possible user enumeration
https://notcve.org/view.php?id=CVE-2025-24391
14 Jul 2025 — A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X Una vulnerabilidad en la interfaz externa de OTRS permite extraer conclusiones sobre la existencia de cuentas de usuario mediante diferentes códigos de respuesta HTTP y mensajes. ... • https://otrs.com/release-notes/otrs-security-advisory-2025-07 • CWE-203: Observable Discrepancy •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24388 – Unsafe handling of AJAX calls
https://notcve.org/view.php?id=CVE-2025-24388
16 Jun 2025 — A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-06 • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24387 – Missing CSRF protection
https://notcve.org/view.php?id=CVE-2025-24387
10 Mar 2025 — A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.x • https://otrs.com/release-notes/otrs-security-advisory-2025-05 • CWE-1275: Sensitive Cookie with Improper SameSite Attribute •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24390 – Missing Cookie Flags
https://notcve.org/view.php?id=CVE-2025-24390
27 Jan 2025 — A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X • https://otrs.com/release-notes/otrs-security-advisory-2025-04 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24389 – SMTP Password will be shown in cleartext on some SMTP errors
https://notcve.org/view.php?id=CVE-2025-24389
27 Jan 2025 — Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-03 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43446 – Improper check of permissions in Generic Interface
https://notcve.org/view.php?id=CVE-2024-43446
27 Jan 2025 — An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-02 • CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43445 – Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing
https://notcve.org/view.php?id=CVE-2024-43445
27 Jan 2025 — A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-01 • CWE-20: Improper Input Validation •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43444 – Passwords are written to Admin Log Module
https://notcve.org/view.php?id=CVE-2024-43444
26 Aug 2024 — Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2024-12 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23794 – Agents are able to lock the ticket without the "Owner" permission
https://notcve.org/view.php?id=CVE-2024-23794
15 Jul 2024 — An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: * 8.0.X * 2023.X * from 2024.X through 2024.4.x Una vulnerabilidad de asignación d... • https://otrs.com/release-notes/otrs-security-advisory-2024-06 • CWE-266: Incorrect Privilege Assignment •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6540 – Information exlosure in external interface
https://notcve.org/view.php?id=CVE-2024-6540
15 Jul 2024 — Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x Un filtrado inadecuado de los campos al utilizar la función de exportación en la descripción general de tickets ... • https://otrs.com/release-notes/otrs-security-advisory-2024-07 • CWE-790: Improper Filtering of Special Elements •