SecuriTricks - CVE-2025-24388

Description

A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

Product(s) Impacted

Vendor	Product	Versions
Otrs	Otrs Community Edition	7.0., 8.0., 2023., 2024., 2025.* 6.0.*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-184

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	otrs	otrs	7.0.*	/	/	/	/	/	/	/
a	otrs	otrs	8.0.*	/	/	/	/	/	/	/
a	otrs	otrs	2023.*	/	/	/	/	/	/	/
a	otrs	otrs	2024.*	/	/	/	/	/	/	/
a	otrs	otrs	2025.*	/	/	/	/	/	/	/
a	otrs	community_edition	6.0.*	/	/	/	/	/	/	/

References

https://otrs.com/release-notes/otrs-security-advisory-2025-06/

CVSS Score

3.8 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

View Vector String

Timeline

Published: June 16, 2025, 12:15 p.m.
Last Modified: June 16, 2025, 12:32 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security@otrs.com

CVE-2025-24388