CVE-2025-24387

Summary

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.  

This issue affects:

  • OTRS 7.0.X
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS 2024.X
  • OTRS 2025.x

Affected Software

VendorProductVersion RangeStatus
OTRS AGOTRS7.0.xaffected
OTRS AGOTRS8.0.xaffected
OTRS AGOTRS2023.xaffected
OTRS AGOTRS2024.xaffected
OTRS AGOTRS2025.x <= 2025.1.2affected

Weaknesses

  • CWE-1275: CWE-1275: Sensitive Cookie with Improper SameSite Attribute

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References