Otrs Otrs

  1. Vendors
  2. Otrs

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Otrs product.

RSS Feeds for Otrs security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Otrs products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Otrs Sorted by Most Security Vulnerabilities since 2018

Otrs90 vulnerabilities

Otrs Open Ticket Request System6 vulnerabilities

Otrs Itsm3 vulnerabilities

Otrs Survey2 vulnerabilities

Otrs Calendar Resource Planning1 vulnerability

Otrs Cis In Customer Frontend1 vulnerability

Otrs Custom Contact Fields1 vulnerability

Otrs Faq1 vulnerability

Otrs Itsmconfigurationmanagement1 vulnerability

Otrs Storm1 vulnerability

Otrscisincustomerfrontend1 vulnerability

Otrs Ticket Forms1 vulnerability

Otrs Time Accounting1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Otrs. Last year, in 2025 Otrs had 7 security vulnerabilities published. Right now, Otrs is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 7 6.50
2024 8 7.32
2023 12 6.77
2022 14 6.06
2021 20 5.46
2020 18 5.22
2019 13 5.44
2018 8 5.38

It may take a day or so for new Otrs vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Otrs Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-24391 Jul 14, 2025
OTRS External Interface user enumeration via HTTP codes A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X
Otrs
CVE-2025-24388 Jun 16, 2025
OTRS (<8) Admin/Agent Param Injection (Auth) A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Otrs
CVE-2025-24387 Mar 10, 2025
OTRS Session Hijack via Missing Secure Cookie (v7.0-2025.x) A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.   This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.x
Otrs
CVE-2025-24390 Jan 27, 2025
OTRS Session Hijacking via Missing Secure/HttpOnly Cookie Flags in 7.02024 A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X
Otrs
CVE-2025-24389 Jan 27, 2025
OTRS <=8.0.x Sensitive Data Leakage via Log & Email (Component: System Logs) Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Otrs
CVE-2024-43446 Jan 27, 2025
OTRS Generic Interface Privilege Escalation (RO-permission) An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Otrs
CVE-2024-43445 Jan 27, 2025
OTRS X-Content-Type-Options Header Missing Vulnerable in OTRS 68, 20232024 A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Otrs
CVE-2024-43444 Aug 26, 2024
OTRS 6.0.x-8.0.x Plain Text Password Exposure in Admin Log (debug enabled) Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Otrs
CVE-2024-43442 Aug 26, 2024
OTRS 7.x-8.x XSS in System Config (admin) CVE-2024-43442 Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in  OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue affects:  * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Otrs
CVE-2024-6540 Jul 15, 2024
OTRS 8/2023/4.x Improper Export Filtering (TicketSearchLegacyEngine) Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x
Otrs
CVE-2024-23794 Jul 15, 2024
OTRS 8.0/2023: Priv Escal via Inline Editing (ReadOnly Agent) An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:  * 8.0.X * 2023.X * from 2024.X through 2024.4.x
Otrs
CVE-2024-23793 Jun 06, 2024
OTRS File Upload Path Traversal before 7.0.49, 8.x, 2023.x, 2024.3.2, 6.0.34 (CE) The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Otrs
CVE-2024-23792 Jan 29, 2024
OTRS Ticket Comment Attachment Impersonation (CVE-2024-23792) When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
Otrs
CVE-2024-23791 Jan 29, 2024
OTRS 7-8.x Vulnerability: Log Debug Info Exposes Sensitive Articles Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
Otrs
CVE-2024-23790 Jan 29, 2024
OTRS Avatar Upload Input Validation Flaw (7.07.0.48, 8.08.0.37) Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.
Otrs
CVE-2023-6254 Nov 27, 2023
OTRS 8.0 Plain Text Passwords Leak via AgentInterface & ExternalInterface (pre8.0.37) A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37.
Otrs
CVE-2023-38059 Oct 16, 2023
OTRS Remote IP Leak via External Images before 7.0.47/8.0.37/6.0.34 The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Otrs
CVE-2023-5421 Oct 16, 2023
OTRS 7.0.47/8.0.37/6.0.34: XSS via CustomerID Field An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Otrs
CVE-2023-5422 Oct 16, 2023
OTRS SSL Cert Validation Failure in Mail (<=8.0.37, 7.0.47) The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Otrs
CVE-2023-38060 Jul 24, 2023
OTRS <=7.0.44 / <=8.0.34 Host Header Injection in Generic Interface ContentType Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment.  This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Otrs
CVE-2023-38058 Jul 24, 2023
OTRS 8.0.X Improper Privilege Check in Ticket Move Action before 8.0.35 An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.
Otrs
CVE-2023-38057 Jul 24, 2023
OTRS Survey <7.0.32 / <8.0.13 XSS via unvalidated JS input An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.
Otrs
Survey
CVE-2023-38056 Jul 24, 2023
OTRS <7.0.45, <8.0.35 Unauthorized Local Exec via SchedulerCronTaskModule Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Otrs
CVE-2023-2534 May 08, 2023
Improper Authorization in OTRS 8 Websocket API (before 8.0.32) Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32.
Otrs
CVE-2018-17883 Apr 16, 2023
OTRS 6.0.x <6.0.12 Remote XSS via Malicious Email Link An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.
Otrs
CVE-2023-1250 Mar 20, 2023
OTRS ACL input validation local code exec v7.0<7.0.42, v8.0<8.0.31, v6.0.16.0.34 Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Otrs
CVE-2023-1248 Mar 20, 2023
OTRS Ticket Actions XSS 7.0 before 7.0.42 / 6.0.1-6.0.34 Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Otrs
CVE-2022-4427 Dec 19, 2022
OTRS TicketSearch WS SQLI (6.0.1-6.0.34; 7.0.1-7.0.40; 8.0.1-8.0.28) Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Otrs
CVE-2022-3501 Oct 17, 2022
Access Control Defect: Article Template Contents Exposed via Agents without Permissions Article template contents with sensitive data could be accessed from agents without permissions.
Otrs
CVE-2022-39052 Oct 17, 2022
MS Outlook DoS via crafted To header in email An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
Otrs
CVE-2022-39051 Sep 05, 2022
Template Toolkit Exec via Unverified 3rd Party Perl Package Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
Otrs
CVE-2022-39050 Sep 05, 2022
OTRS Stored XSS via Customer URL in Admin Session An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
Otrs
CVE-2022-39049 Sep 05, 2022
OTRS Admin URL Manipulation Enables JavaScript XSS An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
Otrs
CVE-2022-32741 Jun 13, 2022
Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
Otrs
CVE-2022-32740 Jun 13, 2022
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances. A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.
Otrs
CVE-2022-32739 Jun 13, 2022
When Secure::DisableBanner system configuration has been disabled and agent shares his calendar When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.
Calendar Resource Planning
Otrs
CVE-2022-1004 Mar 21, 2022
Accounted time is shown in the Ticket Detail View (External Interface) Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
Otrs
CVE-2022-0475 Mar 21, 2022
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed) Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.
Otrs
CVE-2021-36100 Mar 21, 2022
Specially crafted string in OTRS system configuration can Specially crafted string in OTRS system configuration can allow the execution of any system command.
Otrs
Otrs Itsm
Otrs Storm
And others...
CVE-2022-0473 Feb 07, 2022
OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.
Otrs
CVE-2022-0474 Feb 07, 2022
Full list of recipients Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions.
Otrs
Custom Contact Fields
CVE-2021-36097 Oct 18, 2021
Agents are able to lock the ticket without the "Owner" permission Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
Otrs
CVE-2021-36096 Sep 06, 2021
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
Otrs
CVE-2021-36095 Sep 06, 2021
Malicious attacker is able to find out valid user logins by using the "lost password" feature Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
Otrs
CVE-2021-36094 Sep 06, 2021
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
Otrs
CVE-2021-36093 Sep 06, 2021
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
Otrs
CVE-2013-4718 Aug 09, 2021
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search.
Otrs
Otrs Itsm
CVE-2013-4717 Aug 09, 2021
Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm.
Otrs
Otrs Itsm
CVE-2021-36092 Jul 26, 2021
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
Otrs
CVE-2021-36091 Jul 26, 2021
Agents are able to list appointments in the calendars without required permissions Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Otrs
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.