github - ghsa-3gw9-qxrf-m4p6

ghsa-3gw9-qxrf-m4p6

Vulnerability from github

Published

2025-06-16 12:30

Modified

2025-06-16 12:30

Severity ?

3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Details

A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user.

This issue affects:

OTRS 7.0.X
OTRS 8.0.X
OTRS 2023.X
OTRS 2024.X
OTRS 2025.X
((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-24388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-16T12:15:18Z",
    "severity": "LOW"
  },
  "details": "A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user.\n\nThis issue affects: \n\n  *  OTRS 7.0.X\n\n  *  OTRS 8.0.X\n  *  OTRS 2023.X\n  *  OTRS 2024.X\n  *  OTRS 2025.X\n\n  *  ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected",
  "id": "GHSA-3gw9-qxrf-m4p6",
  "modified": "2025-06-16T12:30:26Z",
  "published": "2025-06-16T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24388"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2025-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-24388 (GCVE-0-2025-24388)

Vulnerability from cvelistv5

Published

2025-06-16 11:29

Modified

2025-06-16 15:01

Severity ?

3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-184 - Incomplete List of Disallowed Inputs

Summary

A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected

References

►

URL

Tags

https://otrs.com/release-notes/otrs-security-advisory-2025-06/

Impacted products

Vendor

Product

Version

►

Version: 7.0.x
Version: 8.0.x
Version: 2023.x
Version: 2024.x
Version: 2025.x

((OTRS)) Community Edition

Version: 6.0.x

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24388",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T14:59:52.657688Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T15:01:06.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "modules": [
            "Admin Interface",
            "Agent Interface (versions before OTRS 8)"
          ],
          "product": "OTRS",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "affected",
              "version": "7.0.x"
            },
            {
              "status": "affected",
              "version": "8.0.x"
            },
            {
              "status": "affected",
              "version": "2023.x"
            },
            {
              "status": "affected",
              "version": "2024.x"
            },
            {
              "lessThanOrEqual": "2025.5.1",
              "status": "affected",
              "version": "2025.x",
              "versionType": "Patch"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "modules": [
            "Admin Interface",
            "Agent Interface"
          ],
          "product": "((OTRS)) Community Edition",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.x"
            }
          ]
        }
      ],
      "datePublic": "2025-06-16T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user.\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cp\u003eThis issue affects: \u003c/p\u003e\u003cul\u003e\u003cli\u003eOTRS 7.0.X\u003cbr\u003e\u003c/li\u003e\u003cli\u003eOTRS 8.0.X\u003c/li\u003e\u003cli\u003eOTRS 2023.X\u003c/li\u003e\u003cli\u003eOTRS 2024.X\u003c/li\u003e\u003cli\u003eOTRS 2025.X\u003cbr\u003e\u003c/li\u003e\u003cli\u003e((OTRS)) Community Edition: 6.0.x\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003eProducts based on the ((OTRS)) Community Edition also very likely to be affected\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user.\n\nThis issue affects: \n\n  *  OTRS 7.0.X\n\n  *  OTRS 8.0.X\n  *  OTRS 2023.X\n  *  OTRS 2024.X\n  *  OTRS 2025.X\n\n  *  ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184 Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-16T11:29:20.295Z",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2025-06/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to OTRS 2025.5.2. or later. Please note that there will be no OTRS 7 patches and that impact for OTRS 7 and prior is higher."
            }
          ],
          "value": "Update to OTRS 2025.5.2. or later. Please note that there will be no OTRS 7 patches and that impact for OTRS 7 and prior is higher."
        }
      ],
      "source": {
        "advisory": "OSA-2025-06",
        "defect": [
          "Issue#3738"
        ],
        "discovery": "USER"
      },
      "title": "Unsafe handling of AJAX calls",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2025-24388",
    "datePublished": "2025-06-16T11:29:20.295Z",
    "dateReserved": "2025-01-21T09:09:58.720Z",
    "dateUpdated": "2025-06-16T15:01:06.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.