Watch our latest webinar: What’s Real with AI in IT Right Now
OTRS Logo and Tagline
OTRS Logo and Tagline
Demo
Customer Support
fill 7
Service Management
Asset Management
Security Management
Technology Management
Task Management
Knowledge Management
Platform
How to Buy
FAQ
OTRS App
Services
Product
OTRS
OTRS is a flexible and customizable service management platform
Solution
Service Desk Solutions
Purpose-built solutions apply this system to specific service use cases.
Help Desk
Keep service running at the center.
Customer Service & Support
Ignite your customer connections.
IT Service Management
Shape your IT landscape.
Office Management
Keep your operations in motion.
HR Management
Keep your organization alive.
Cyber Defense – STORM
Defend your digital world.
Partners
Become a Partner
OTRS Partners
OTRS Academy
Webinars about OTRS
Public Trainings
OTRS Academy
Events
  • 27/10/2026
it-sa

it-sa is one of the largest dialog platforms for industry-specific IT security solutions. It will take place from October 27 to 29, 2026 in Nuremberg.
  • Trade Fair
OTRS Events
Recent Articles
How AI and Best Practices Create Personalized Service
Companies and their customers benefit from personalized service experiences. This
  • AI & Automation, Customer Service
Shadow AI and Its Risks
Shadow AI has become a major topic. This article explains
  • AI & Automation, Security & Compliance
View OTRS Blog
Case Studies with OTRS

OTRS success stories highlight how real customers use OTRS to improve service & automate business processes to achieve operational success.

Success Stories

Release Note

OTRS Security Advisory 2025-04

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

  • pub 2048R/9C227C6B 2011-03-21
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

  • ID: OSA-2025-04
  • Date: 2025-01-27
  • Title: Missing Cookie Flags
  • Severity CVSS v3.1: 6.8 MEDIUM
  • Severity CVSS v4.0: 7.4 HIGH
  • Urgency: MEDIUM
  • Product: OTRS
  • Fixed in: OTRS 2025.1.x
  • CVSS VECTOR: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N / CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:A/RE:L/U:Clear
  • References: CVE-2025-24390

Missing Cookie Flags

A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.

PRODUCT AFFECTED:

This issue affects

OTRS:

  • OTRS 7.0.X
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS 2024.X

Problem:

CWE-614 Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute CWE-614

Impact:

CAPEC-593 Session Hijacking CAPEC-593

Product Status

Product Affected
OTRS AG OTRS » OTRS Application Server, Reverse Proxy

Default status is unaffected

 7.0.x
8.0.x
2023.x
2024.x

SOLUTION:

Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches

CREDITS:

Special thanks to Alissa Kim for reporting this vulnerability.

Release Details

  • Release:
    OTRS Security Advisory 2025-04
  • Release date:
    01/27/2025