CVE-2023-38060 MEDIUM

CVE-2023-38060: Host header injection by attachments in web service

Vendor Otrs Ag
Product OTRS
Weakness CWE-20 · Input validation
Published July 24, 2023
Last update February 13, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment.  This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

Key dates

02Disclosure timeline

July 24, 2023 CVE published
February 13, 2025 Record updated