CVE-2025-24390

EPSS 0.03%
Published 27.01.2025 06:15:24
Last modified 27.01.2025 06:15:24
Source security@otrs.com
Teams watchlist Login
Open Login

A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.

This issue affects: 

  *  OTRS 7.0.X

  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS 2024.X

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorOTRS AG

≫

Product OTRS

Default Statusaffected

Version 7.0.x

Status affected

Version 8.0.x

Status affected

Version 2023.x

Status affected

Version 2024.x

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.071

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@otrs.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

https://otrs.com/release-notes/otrs-security-advisory-2025-04/

https://nvd.nist.gov/vuln/detail/CVE-2025-24390

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24390

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24390

EUVD