Content-Type Sniffing Vulnerability in OTRS by OTRS AG
CVE-2024-43445

5.4MEDIUM

Key Information:

Vendor: Otrs Ag
Status: Otrs; ((otrs)) Community Edition
Vendor: CVE Published:; 27 January 2025

What is CVE-2024-43445?

A significant vulnerability has been identified in OTRS and its Community Edition, where the crucial HTTP response header X-Content-Type-Options is not set to 'nosniff'. This oversight may allow attackers to upload or insert content that could be misinterpreted as a different MIME type than intended, potentially leading to various malicious outcomes. This vulnerability impacts several versions including OTRS 7.0.X, 8.0.X, and the OTRS Community Edition 6.0.x. Additionally, any products built on the OTRS Community Edition are likely at risk.

Affected Version(s)

((OTRS)) Community Edition 6.0.x <= 6.0.34

OTRS 7.0.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 27, 2025
Vulnerability Reserved
Aug 13, 2024

Credit

Special thanks to Alissa Kim for reporting this vulnerability.