Otrs Ag Community Edition vulnerabilities

CVE-2025-24388 [LOW] CWE-184 CVE-2025-24388: A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow param A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very l

CVE-2024-43445 [MEDIUM] CWE-20 CVE-2024-43445: A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response hea A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 20

CVE-2025-24389 [MEDIUM] CWE-532 CVE-2025-24389: Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) C Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very li

CVE-2024-43446 [LOW] CWE-269 CVE-2024-43446: An improper privilege management vulnerability in OTRS Generic Interface module allows change of the An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

CVE-2024-43444 [HIGH] CWE-532 CVE-2024-43444: Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certai Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) C

CVE-2024-43443 [MEDIUM] CWE-790 CVE-2024-43443: Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 20

CVE-2024-43442 [MEDIUM] CWE-790 CVE-2024-43442: Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from

CVE-2024-23793 [MEDIUM] CWE-22 CVE-2024-23793: The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. T The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through

CVE-2023-5422 [CRITICAL] CWE-295 CVE-2023-5422: The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for st The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to

CVE-2023-38059 [MEDIUM] CWE-200 CVE-2023-38059: The loading of external images is not blocked, even if configured, if the attacker uses protocol-rel The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

CVE-2023-5421 [MEDIUM] CWE-20 CVE-2023-5421: An attacker who is logged into OTRS as an user with privileges to create and change customer user da An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before

CVE-2023-38060 [HIGH] CWE-20 CVE-2023-38060: Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X befor

CVE-2023-38056 [HIGH] CWE-78 CVE-2023-38056: Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. Schedu Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVE-2023-38057 [MEDIUM] CWE-20 CVE-2023-38057: An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.

CVE-2023-1250 [HIGH] CWE-20 CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Ed Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)

CVE-2023-1248 [MEDIUM] CWE-79 CVE-2023-1248: Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) C Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVE-2022-4427 [CRITICAL] CWE-20 CVE-2022-4427: Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows S Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

CVE-2022-39052 [MEDIUM] CWE-835 CVE-2022-39052: An external attacker is able to send a specially crafted email (with many recipients) and trigger a An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system

CVE-2022-39051 [HIGH] CWE-913 CVE-2022-39051: Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin i Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package

CVE-2022-39049 [MEDIUM] CWE-79 CVE-2022-39049: An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of Ja An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.