CVE-2025-24391

EUVD-2025-21322
A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses.

This issue affects: 

  *  OTRS 7.0.X

  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS 2024.X
  *  OTRS 2025.X
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OTRSCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
otrsotrs
7.0.0 ≤
𝑥
< 7.1.0
CNA
otrsotrs
8.0.0 ≤
𝑥
< 8.1.0
CNA
otrsotrs
2023.0 ≤
𝑥
< 2024.0
CNA
otrsotrs
2024.0 ≤
𝑥
< 2025.0
CNA
otrsotrs
2025.0 ≤
CNA
Common Weakness Enumeration
References
https://otrs.com/release-notes/otrs-security-advisory-2025-07/