Vulnerabilities > Otrs > Otrs > 7.0.22
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-10 | CVE-2025-24387 | Cross-Site Request Forgery (CSRF) vulnerability in Otrs A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. | 6.5 |
| 2024-01-29 | CVE-2024-23790 | Improper Validation of Integrity Check Value vulnerability in Otrs Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1. | 9.8 |
| 2024-01-29 | CVE-2024-23791 | Information Exposure Through Log Files vulnerability in Otrs Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1. | 7.5 |
| 2024-01-29 | CVE-2024-23792 | Improper Authentication vulnerability in Otrs When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. | 6.5 |
| 2023-10-16 | CVE-2023-38059 | Unspecified vulnerability in Otrs The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. | 5.3 |
| 2023-10-16 | CVE-2023-5421 | Cross-site Scripting vulnerability in Otrs An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34. | 5.5 |
| 2023-10-16 | CVE-2023-5422 | Improper Certificate Validation vulnerability in Otrs The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. | 9.1 |
| 2023-03-20 | CVE-2023-1248 | Cross-site Scripting vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 6.1 |
| 2023-03-20 | CVE-2023-1250 | Code Injection vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. | 7.8 |
| 2022-12-19 | CVE-2022-4427 | SQL Injection vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 9.8 |