CVE-2025-24391
BaseFortify
Publication date: 2025-07-14
Last updated on: 2025-07-15
Assigner: OTRS AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otrs | otrs | 8.0 |
| otrs | otrs | 2025 |
| otrs | otrs | 2024 |
| otrs | otrs | 2023 |
| otrs | otrs | 7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the External Interface of OTRS allows attackers to determine whether user accounts exist by analyzing different HTTP response codes and messages. This enables systematic identification of valid email addresses associated with the system, which can be used for further attacks such as account footprinting. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers to identify valid email addresses in the OTRS system, which can lead to targeted attacks such as phishing, social engineering, or brute force attempts. This compromises user privacy and can increase the risk of unauthorized access or data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by observing different HTTP response codes and messages from the External Interface of OTRS when querying for user accounts or email addresses. An attacker can systematically identify valid email addresses by analyzing these discrepancies. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating OTRS to version 2025.6.1 or later, as no patches will be provided for OTRS 7. Users of OTRS 7 must upgrade to a supported version to remediate the issue. [1]