CVE-2025-24388
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-06-16
Assigner: OTRS AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-24388 is a vulnerability in the OTRS Admin Interface and Agent Interface that allows an authenticated agent or admin user to perform parameter injection attacks. This occurs due to incomplete filtering of inputs (classified under CWE-184), which can lead to malicious parameters being injected into the system. It affects multiple versions of OTRS including 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and the Community Edition 6.0.x. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated agent or admin user to inject malicious parameters into the OTRS system, potentially leading to unauthorized actions or disruptions. While the CVSS base score is 3.8 indicating a low to medium severity, the impact includes integrity and availability issues (I:L, A:L). The Application Server component in versions 7.0.x through 2025.1.2 is unaffected, but versions 7 and earlier have a higher impact. No patches are available for OTRS 7, so updating to version 2025.5.2 or later is recommended to mitigate the risk. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update your OTRS installation to version 2025.5.2 or later, as no patches will be provided for OTRS 7 and earlier versions. This update addresses the parameter injection vulnerability in the Admin and Agent Interfaces. [1]