CVE-2025-24391

EPSS 0.04%
Published 14.07.2025 08:15:58
Last modified 15.07.2025 13:14:24
Source security@otrs.com
Teams watchlist Login
Open Login

A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses.

This issue affects: 

  *  OTRS 7.0.X

  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS 2024.X
  *  OTRS 2025.X

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorOTRS AG

≫

Product OTRS

Default Statusaffected

Version 7.0.x

Status affected

Version 8.0.x

Status affected

Version 2023.x

Status affected

Version 2024.x

Status affected

Version <= 2025.5.x

Version 2025.x

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.119

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@otrs.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://otrs.com/release-notes/otrs-security-advisory-2025-07/

https://nvd.nist.gov/vuln/detail/CVE-2025-24391

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24391

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24391

EUVD