CVE-2024-43445 MEDIUM

CVE-2024-43445: Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing

Vendor Otrs Ag
Product OTRS
Weakness CWE-20 · Input validation
Published January 27, 2025
Last update February 12, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

Key dates

02Disclosure timeline

January 27, 2025 CVE published
February 12, 2025 Record updated