CVE-2025-24387

EUVD-2025-7643
A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive 
cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.
 

This issue affects:

  *  OTRS 7.0.X
  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS 2024.X
  *  OTRS 2025.x
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
OTRSCNA
4.8 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Affected Products (NVD)
VendorProductVersion
otrsotrs
7.0.0 ≤
𝑥
≤ 2025.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://otrs.com/release-notes/otrs-security-advisory-2025-05/