Host header injection by attachments in web service
CVE-2023-38060

8.8HIGH

Key Information:

Vendor: Otrs Ag
Status: Otrs; ((otrs)) Community Edition
Vendor: CVE Published:; 24 July 2023

What is CVE-2023-38060?

The vulnerability in OTRS arises from improper input validation within the ContentType parameter for attachments during TicketCreate and TicketUpdate operations in the Generic Interface modules. This allows authenticated attackers to execute host header injection for the ContentType header of an attachment. Organizations using affected versions should apply the provided patches promptly to eliminate the risk associated with this vulnerability.

Affected Version(s)

((OTRS)) Community Edition 6.0.1 <= 6.0.34

OTRS 7.0.x

OTRS 7.0.x < 7.0.45

References

https://otrs.com/release-notes/otrs-security-advisory-202...

https://lists.debian.org/debian-lts-announce/2023/08/msg0...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 24, 2023
Vulnerability Reserved
Jul 12, 2023

Credit

Special thanks to Tim Püttmanns for reporting these vulnerability.

Otrs Ag

What is CVE-2023-38060?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit