OTRS is now part of Easyvista. Stronger together!
  • OTRS Software Solutions
    Customizable Software
    OTRS
    OTRS is flexible and customizable software with out-of-the-box solutions for all service management needs.
    OTRS On-Premise & Managed Comparison
    ((OTRS)) Community Edition
    OTRS App
    Solutions for
    Customer Service & Support
    Boost customer satisfaction very rapidly – never miss requests, lower the response time (MTTR)
    IT Service Management
    Support for your IT department with automated, ITIL4-compliant processes
    Office Management
    Automate office management processes with our software solution
    HR Management
    Support your HR team with numerous processes, such as application or leave management
    Cyber Defense & Security Incidents – STORM
    The solution for fast security orchestration, automation, and incident response
    Roadmap
    Release Notes
    Security Advisories
  • Use Cases
    Service Management
    Security Management
    Task Management
    Asset Management
    Technology Management
    Knowledge Management
  • Success Stories
  • Blog
  • Services
    Services
    Services
    Consulting, training, customer service: Find official OTRS services
    FAQ
    OTRS Trainings
    Webinars about OTRS
    Get useful information about the latest OTRS version. Watch how OTRS works.
    Public Trainings
    Customer Portal
    Contact Sales
    Contact Consulting
    Contact Customer Service
  • Partners
    Partner Locator
    Become a Partner
Contact
Demo
Customer Support
fill 7
fill 7
OTRS - Home
OTRS is now part of Easyvista. Stronger together!

Release Note

OTRS Security Advisory 2025-05

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

  • pub 2048R/9C227C6B 2011-03-21
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

  • ID: OSA-2025-05
  • Date: 2025-03-10
  • Title: Missing CSRF protection
  • Severity CVSS v3.1: 4.8 MEDIUM
  • Severity CVSS v4.0: 5.7 MEDIUM
  • Urgency: MEDIUM
  • Product: OTRS
  • Fixed in: OTRS 2025.2.x
  • CVSS VECTOR:  CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N / CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:A/RE:L/U:Clear
  • References: CVE-2025-24387

Missing CSRF protection

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.

PRODUCT AFFECTED:

This issue affects

OTRS:

  • OTRS 7.0.X
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS 2024.X
  • OTRS 2025.x

Problem:

CWE-1275: Sensitive Cookie with Improper SameSite Attribute CWE-1275

Impact:

CAPEC-593 Session Hijacking CAPEC-593

Product Status

Product Affected
OTRS AG OTRS » Application Server

Default status is unaffected

 7.0.x
8.0.x
2023.x
2024.x
from 2025.x through 2025.1.2

SOLUTION:

Update to OTRS 2025.2.x. Please note that there will be no OTRS 7 patches

CREDITS:

Special thanks to Alissa Kim for reporting this vulnerability.

Release Details

  • Release:
    OTRS Security Advisory 2025-05
  • Release date:
    03/10/2025
Instagram Twitter Facebook Linkedin Youtube
© 2025, OTRS AG
Company
Contact