cbcvebase.

Otrs Ag Otrs vulnerabilities

75 known vulnerabilities affecting otrs_ag/otrs.

Total CVEs
75
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH14MEDIUM53LOW4

Vulnerabilities

Page 2 of 4
CVE-2021-21440P4MEDIUMCVSS 6.5≥ 7.0.x, ≤ 7.0.27≥ 8.0.x, ≤ 8.0.142021-07-26
CVE-2021-21440 [MEDIUM] CWE-200 CVE-2021-21440: Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. T Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
nvd
CVE-2026-48209P4HIGHCVSS 7.1v7.0.x2026-06-01
CVE-2026-48209 [HIGH] CWE-79 CVE-2026-48209: An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket h An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary
nvd
CVE-2025-24387P4MEDIUMCVSS 6.5v7.0.xv8.0.x+3 more2025-03-10
CVE-2025-24387 [MEDIUM] CWE-1275 CVE-2025-24387: A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for se A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X *
nvd
CVE-2021-21435P4MEDIUMCVSS 6.5≥ 7.0.x, ≤ 7.0.23≥ 8.0.x, ≤ 8.0.102021-02-08
CVE-2021-21435 [MEDIUM] CWE-200 CVE-2021-21435: Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) vi Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.
nvd
CVE-2026-48208P4MEDIUMCVSS 6.5v7.0.xv8.0.x+4 more2026-06-01
CVE-2026-48208 [MEDIUM] CWE-400 CVE-2026-48208: An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket articl An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without Jav
nvd
CVE-2026-48189P4MEDIUMCVSS 5.7v7.0.xv8.0.x+4 more2026-06-01
CVE-2026-48189 [MEDIUM] CWE-200 CVE-2026-48189: An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
nvd
CVE-2025-24389P4MEDIUMCVSS 6.3v7.0.xv8.0.x+2 more2025-01-27
CVE-2025-24389 [MEDIUM] CWE-532 CVE-2025-24389: Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) C Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very li
nvd
CVE-2021-21439P4MEDIUMCVSS 6.5≥ 7.0.x, ≤ 7.0.26≥ 8.0.x, ≤ 8.0.132021-06-14
CVE-2021-21439 [MEDIUM] CWE-754 CVE-2021-21439: DoS attack can be performed when an email contains specially designed URL in the body. It can lead t DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions;
nvd
CVE-2022-39052P4MEDIUMCVSS 6.5≥ 7.0.x, ≤ 7.0.39≥ 8.0.x, ≤ 8.0.262022-10-17
CVE-2022-39052 [MEDIUM] CWE-835 CVE-2022-39052: An external attacker is able to send a specially crafted email (with many recipients) and trigger a An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
nvd
CVE-2026-48210P4MEDIUMCVSS 5.7v2026.3.12026-05-31
CVE-2026-48210 [MEDIUM] CWE-200 CVE-2026-48210: An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enfor An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1
nvd
CVE-2024-6540P4MEDIUMCVSS 5.3v8.0.xv2023.x+1 more2024-07-15
CVE-2024-6540 [MEDIUM] CWE-790 CVE-2024-6540: Improper filtering of fields when using the export function in the ticket overview of the external i Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTR
nvd
CVE-2020-1766P4MEDIUMCVSS 6.1v7.0.x version 7.0.13 and prior versions2020-01-10
CVE-2020-1766 [MEDIUM] CWE-79 CVE-2020-1766: Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to f Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0
nvd
CVE-2024-43445P4MEDIUMCVSS 5.4v7.0.xv8.0.x+3 more2025-01-27
CVE-2024-43445 [MEDIUM] CWE-20 CVE-2024-43445: A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response hea A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 20
nvd
CVE-2025-24391P4MEDIUMCVSS 5.3v7.0.xv8.0.x+3 more2025-07-14
CVE-2025-24391 [MEDIUM] CWE-203 CVE-2025-24391: A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X
nvd
CVE-2021-36092P4MEDIUMCVSS 6.1≥ 7.0.x, ≤ 7.0.27≥ 8.0.x, ≤ 8.0.142021-07-26
CVE-2021-36092 [MEDIUM] CWE-79 CVE-2021-36092: It's possible to create an email which contains specially crafted link and it can be used to perform It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
nvd
CVE-2020-1765P4MEDIUMCVSS 5.3v7.0.x version 7.0.13 and prior versions2020-01-10
CVE-2020-1765 [MEDIUM] CWE-472 CVE-2020-1765: An improper control of parameters allows the spoofing of the from fields of the following screens: A An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior v
nvd
CVE-2020-1768P4MEDIUMCVSS 5.4≥ 7.0.x, ≤ 7.0.142020-02-07
CVE-2020-1768 [MEDIUM] CWE-613 CVE-2020-1768: The external frontend system uses numerous background calls to the backend. Each background request The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions.
nvd
CVE-2021-36095P4MEDIUMCVSS 5.3≥ 7.0.x, ≤ 7.0.282021-09-06
CVE-2021-36095 [MEDIUM] CWE-200 CVE-2021-36095: Malicious attacker is able to find out valid user logins by using the "lost password" feature. This Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
nvd
CVE-2023-5421P4MEDIUMCVSS 5.5≥ 7.0.x, < 7.0.47≥ 8.0.x, < 8.0.372023-10-16
CVE-2023-5421 [MEDIUM] CWE-20 CVE-2023-5421: An attacker who is logged into OTRS as an user with privileges to create and change customer user da An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before
nvd
CVE-2022-32741P4MEDIUMCVSS 5.3≥ 7.0.x, ≤ 7.0.34≥ 8.0.x, ≤ 8.0.222022-06-13
CVE-2022-32741 [MEDIUM] CWE-200 CVE-2022-32741: Attacker is able to determine if the provided username exists (and it's valid) using Request New Pas Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
nvd
Otrs Ag Otrs vulnerabilities | cvebase