CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24387 – Missing CSRF protection
https://notcve.org/view.php?id=CVE-2025-24387
10 Mar 2025 — A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.x • https://otrs.com/release-notes/otrs-security-advisory-2025-05 • CWE-1275: Sensitive Cookie with Improper SameSite Attribute •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24390 – Missing Cookie Flags
https://notcve.org/view.php?id=CVE-2025-24390
27 Jan 2025 — A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X • https://otrs.com/release-notes/otrs-security-advisory-2025-04 • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24389 – SMTP Password will be shown in cleartext on some SMTP errors
https://notcve.org/view.php?id=CVE-2025-24389
27 Jan 2025 — Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-03 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43446 – Improper check of permissions in Generic Interface
https://notcve.org/view.php?id=CVE-2024-43446
27 Jan 2025 — An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-02 • CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43445 – Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing
https://notcve.org/view.php?id=CVE-2024-43445
27 Jan 2025 — A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected • https://otrs.com/release-notes/otrs-security-advisory-2025-01 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23793 – Upload of files outside application directory
https://notcve.org/view.php?id=CVE-2024-23793
06 Jun 2024 — The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. La función de carga de archivos en OTRS y ((OTRS)) C... • https://otrs.com/release-notes/otrs-security-advisory-2024-05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •