CVE-2025-24387 MEDIUM

CVE-2025-24387: Missing CSRF protection

Vendor Otrs Ag
Product OTRS
Weakness CWE-1275
Published March 10, 2025
Last update March 10, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.   This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.x

Key dates

02Disclosure timeline

March 10, 2025 CVE published
March 10, 2025 Record updated