CVE-2025-24387
Missing CSRF protection
In short
OTRS authentication cookies lack proper security settings in HTTPS connections, allowing malicious websites to steal user sessions and perform unauthorized actions. This happens because the cookies don't have protections that prevent them from being sent to untrusted sites.
Technical detail
The OTRS Application Server fails to set SameSite and Secure attributes on authentication cookies, enabling CSRF attacks where a malicious site can trigger requests that include valid session cookies. An attacker can perform unauthorized read operations by crafting requests from a compromised web page visited by an authenticated OTRS user.
Summary generated and translated by AI from the official description.
A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive
cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
* OTRS 2025.x
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Affected products
OTRS AG · OTRSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →