CVE-2024-43445

EUVD-2024-40417

27.01.2025, 06:15

A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. 

This issue affects: 

  *  OTRS 7.0.X

  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS 2024.X

  *  ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
OTRS	CNA	5.4 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 33%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
otrs	otrs	7.0.0 ≤ 𝑥 < 7.1.0	CNA
otrs	otrs	8.0.0 ≤ 𝑥 < 8.1.0	CNA
otrs	otrs	2023.0 ≤ 𝑥 < 2024.0	CNA
otrs	otrs	2024.0 ≤ 𝑥 < 2025.0	CNA
otrs	otrs	6.0.0 ≤ 𝑥 ≤ 6.0.34	CNA

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://otrs.com/release-notes/otrs-security-advisory-2025-01/