CVE-2025-24390

EUVD-2025-3686
A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.

This issue affects: 

  *  OTRS 7.0.X

  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS 2024.X
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OTRSCNA
6.8 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
otrsotrs
7.0.0 ≤
𝑥
< 7.1.0
CNA
otrsotrs
8.0.0 ≤
𝑥
< 8.1.0
CNA
otrsotrs
2023.0 ≤
𝑥
< 2024.0
CNA
otrsotrs
2024.0 ≤
𝑥
< 2025.0
CNA
Common Weakness Enumeration
References
https://otrs.com/release-notes/otrs-security-advisory-2025-04/