CVE-2025-24390

Summary

A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.

This issue affects:

  • OTRS 7.0.X

  • OTRS 8.0.X

  • OTRS 2023.X

  • OTRS 2024.X

Affected Software

VendorProductVersion RangeStatus
OTRS AGOTRS7.0.xaffected
OTRS AGOTRS8.0.xaffected
OTRS AGOTRS2023.xaffected
OTRS AGOTRS2024.xaffected

Weaknesses

  • CWE-614: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References