Otrs
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Otrs.
By the Year
In 2025 there have been 1 vulnerability in Otrs with an average score of 6.5 out of ten. Last year, in 2024 Otrs had 5 security vulnerabilities published. Right now, Otrs is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.82
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 1 | 6.50 |
2024 | 5 | 7.32 |
2023 | 12 | 6.77 |
2022 | 14 | 6.06 |
2021 | 15 | 5.69 |
2020 | 18 | 5.12 |
2019 | 13 | 5.62 |
2018 | 2 | 5.75 |
It may take a day or so for new Otrs vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Otrs Security Vulnerabilities
A vulnerability in OTRS Application Server
CVE-2025-24387
6.5 - Medium
- March 10, 2025
A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.x
Session Riding
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation
CVE-2024-23794
7.5 - High
- July 15, 2024
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS: * 8.0.X * 2023.X * from 2024.X through 2024.4.x
Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could
CVE-2024-6540
5.3 - Medium
- July 15, 2024
Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x
Improper Input Validation vulnerability in the upload functionality for user avatars
CVE-2024-23790
9.8 - Critical
- January 29, 2024
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.
Improper Validation of Integrity Check Value
Insertion of debug information into log file during building the elastic search index
CVE-2024-23791
7.5 - High
- January 29, 2024
Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
Insertion of Sensitive Information into Log File
When adding attachments to ticket comments,
another user can add attachments as well impersonating the orginal user
CVE-2024-23792
6.5 - Medium
- January 29, 2024
When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.
authentification
A Vulnerability in OTRS AgentInterface and ExternalInterface
CVE-2023-6254
7.5 - High
- November 27, 2023
A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37.
Insufficiently Protected Credentials
The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload
CVE-2023-38059
5.3 - Medium
- October 16, 2023
The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code
CVE-2023-5421
5.5 - Medium
- October 16, 2023
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
XSS
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication
CVE-2023-5422
9.1 - Critical
- October 16, 2023
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Improper Certificate Validation
Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g
CVE-2023-38056
7.2 - High
- July 24, 2023
Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Shell injection
An improper input validation vulnerability in OTRS Survey modules
CVE-2023-38057
5.4 - Medium
- July 24, 2023
An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22.
XSS
An improper privilege check in the OTRS ticket move action in the agent interface
CVE-2023-38058
4.3 - Medium
- July 24, 2023
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35.
AuthZ
Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules
CVE-2023-38060
8.8 - High
- July 24, 2023
Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the attachment. This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Injection
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend)
CVE-2023-2534
8.1 - High
- May 08, 2023
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation and the number of active users. (Flooding)This issue affects OTRS: from 8.0.X before 8.0.32.
AuthZ
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12
CVE-2018-17883
6.1 - Medium
- April 16, 2023
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS.
XSS
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules)
CVE-2023-1248
6.1 - Medium
- March 20, 2023
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
XSS
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules)
CVE-2023-1250
7.8 - High
- March 20, 2023
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Code Injection
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition
CVE-2022-4427
9.8 - Critical
- December 19, 2022
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
SQL Injection
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
CVE-2022-39052
6.5 - Medium
- October 17, 2022
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
Infinite Loop
Article template contents with sensitive data could be accessed
CVE-2022-3501
7.5 - High
- October 17, 2022
Article template contents with sensitive data could be accessed from agents without permissions.
AuthZ
An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
CVE-2022-39049
4.8 - Medium
- September 05, 2022
An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
XSS
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link
CVE-2022-39050
4.8 - Medium
- September 05, 2022
An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external data sources e.g. database or ldap
XSS
Attacker might be able to execute malicious Perl code in the Template toolkit
CVE-2022-39051
8.8 - High
- September 05, 2022
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
Improper Control of Dynamically-Managed Code Resources
When Secure::DisableBanner system configuration has been disabled and agent shares his calendar
CVE-2022-32739
5.3 - Medium
- June 13, 2022
When Secure::DisableBanner system configuration has been disabled and agent shares his calendar via public URL, received ICS file contains OTRS release number.
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.
CVE-2022-32740
5.3 - Medium
- June 13, 2022
A reply to a forwarded email article by a 3rd party could unintensionally expose the email content to the ticket customer under certain circumstances.
Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature
CVE-2022-32741
5.3 - Medium
- June 13, 2022
Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
Specially crafted string in OTRS system configuration can
CVE-2021-36100
8.8 - High
- March 21, 2022
Specially crafted string in OTRS system configuration can allow the execution of any system command.
Shell injection
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed)
CVE-2022-0475
5.4 - Medium
- March 21, 2022
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32 and prior versions, 8.0.x version: 8.0.19 and prior versions.
XSS
Accounted time is shown in the Ticket Detail View (External Interface)
CVE-2022-1004
4.3 - Medium
- March 21, 2022
Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled.
Information Disclosure
Full list of recipients
CVE-2022-0474
3.5 - Low
- February 07, 2022
Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions.
Information Disclosure
OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check
CVE-2022-0473
4.8 - Medium
- February 07, 2022
OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.
XSS
Agents are able to lock the ticket without the "Owner" permission
CVE-2021-36097
4.3 - Medium
- October 18, 2021
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden
CVE-2021-36096
4.9 - Medium
- September 06, 2021
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
Cleartext Storage of Sensitive Information
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS
CVE-2021-36093
5.3 - Medium
- September 06, 2021
It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack
CVE-2021-36094
5.4 - Medium
- September 06, 2021
It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
XSS
Malicious attacker is able to find out valid user logins by using the "lost password" feature
CVE-2021-36095
5.3 - Medium
- September 06, 2021
Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions.
Weak Password Recovery Mechanism for Forgotten Password
Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9
CVE-2013-4717
8.8 - High
- August 09, 2021
Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm.
SQL Injection
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7
CVE-2013-4718
5.4 - Medium
- August 09, 2021
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) ITSM 3.0.x before 3.0.9, 3.1.x before 3.1.10, and 3.2.x before 3.2.7 allows remote authenticated users to inject arbitrary web script or HTML via an ITSM ConfigItem search.
XSS
Agents are able to list customer user emails without required permissions in the bulk action screen
CVE-2021-21443
4.3 - Medium
- July 26, 2021
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden
CVE-2021-21440
6.5 - Medium
- July 26, 2021
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
Agents are able to list appointments in the calendars without required permissions
CVE-2021-36091
4.3 - Medium
- July 26, 2021
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
AuthZ
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack
CVE-2021-36092
6.1 - Medium
- July 26, 2021
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and prior versions.
XSS
There is a XSS vulnerability in the ticket overview screens
CVE-2021-21441
7.5 - High
- June 16, 2021
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions.
XSS
DoS attack can be performed when an email contains specially designed URL in the body
CVE-2021-21439
6.5 - Medium
- June 14, 2021
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.
Improper Handling of Exceptional Conditions
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category)
CVE-2021-21438
4.3 - Medium
- March 22, 2021
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
Incorrect Default Permissions
Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface
CVE-2021-21435
6.5 - Medium
- February 08, 2021
Article Bcc fields and agent personal information are shown when customer prints the ticket (PDF) via external interface. This issue affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x version 8.0.10 and prior versions.
Information Disclosure
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid
CVE-2020-1778
4.3 - Medium
- November 23, 2020
When OTRS uses multiple backends for user authentication (with LDAP), agents are able to login even if the account is set to invalid. This issue affects OTRS; 8.0.9 and prior versions.
authentification
Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets
CVE-2020-1777
5.3 - Medium
- October 15, 2020
Agent names that participates in a chat conversation are revealed in certain parts of the external interface as well as in chat transcriptions inside the tickets, when system is configured to mask real agent names. This issue affects OTRS; 7.0.21 and prior versions, 8.0.6 and prior versions.
Information Disclosure
When an agent user is renamed or set to invalid the session belonging to the user is keept active
CVE-2020-1776
4.3 - Medium
- July 20, 2020
When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.
Insufficient Session Expiration