Session Hijacking Vulnerability in OTRS Application Server
CVE-2025-24387

6.5MEDIUM

Key Information:

Vendor: Otrs Ag
Status: Otrs
Vendor: CVE Published:; 10 March 2025

What is CVE-2025-24387?

A vulnerability in the OTRS Application Server exposes users to session hijacking attacks due to improperly configured sensitive cookie attributes in HTTPS sessions. This weakness allows an attacker to exploit a request from a malicious website, potentially sending the authentication cookie to access sensitive information and performing unauthorized read operations. Immediate action is recommended to secure the application against such threats.

Affected Version(s)

OTRS 7.0.x

OTRS 8.0.x

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Jan 21, 2025

Credit

Special thanks to Alissa Kim for reporting this vulnerability.