OTRS Logo - Tagline - Stacked
Contact
Demo
Customer Support
fill 7
Service Management
Asset Management
Security Management
Technology Management
Task Management
Knowledge Management
Platform
How to Buy
FAQ
OTRS App
Services
Product
OTRS
OTRS is a flexible and customizable service management platform
Solution
Service Desk Solutions
Purpose-built solutions apply this system to specific service use cases.
Help Desk
Keep service running at the center.
Customer Service & Support
Ignite your customer connections.
IT Service Management
Shape your IT landscape.
Office Management
Keep your operations in motion.
HR Management
Keep your organization alive.
Cyber Defense – STORM
Defend your digital world.
Partners
Become a Partner
OTRS Partners
OTRS Academy
Webinars about OTRS
Public Trainings
Events
  • 27/10/2026
it-sa

it-sa is one of the largest dialog platforms for industry-specific IT security solutions. It will take place from October 27 to 29, 2026 in Nuremberg.
  • Trade Fair
OTRS Events
Recent Articles
The Path to Effective Ticket Management
Backlogged tickets, long response times, frustrated customers: without effective ticket...
  • Customer Service
How Enterprise Service Management Improves Service Quality Beyond IT
Internal services should be easy to use. In practice, they...
  • ESM
How to Best Use AI and Automation in the Service Desk
Artificial intelligence and automation are now firmly embedded in modern...
  • AI & Automation, Customer Service
View OTRS Blog
Case Studies with OTRS
Success Stories

Release Note

OTRS Security Advisory 2025-06

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

  • pub 2048R/9C227C6B 2011-03-21
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

  • ID: OSA-2025-06
  • Date: 2025-06-16
  • Title: Unsafe handling of AJAX calls
  • Severity CVSS v3.1: 3.8 LOW
  • Severity CVSS v4.0: 2.1 LOW
  • Urgency: LOW
  • Product: OTRS
  • Fixed in: OTRS 2025.5.2
  • CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L //
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/R:U/RE:L/U:Green
  • References: CVE-2025-24388

 Unsafe handling of AJAX calls

A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user.

PRODUCT AFFECTED:

This issue affects

OTRS:

  • OTRS 7.0.X
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS 2024.X
  • OTRS 2025.X
  • ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected.

Problem:

CWE-184 Incomplete List of Disallowed Inputs CWE-184

Impact:

CAPEC-137 Parameter Injection CAPEC-137

Product Status

Product Affected
OTRS AG OTRS » Application Server

Default status is unaffected

 7.0.x
8.0.x
2023.x
2024.x
from 2025.x through 2025.1.2
OTRS AG ((OTRS)) Community Edition » Admin Interface, Agent Interface

Default status is affected

 6.0.x

SOLUTION:

Update to OTRS 2025.5.2. or later. Please note that there will be no OTRS 7 patches and that impact for OTRS 7 and prior is higher.

CREDITS:

Special thanks to Alissa Kim for reporting this vulnerability.

Release Details

  • Release:
    OTRS Security Advisory 2025-06
  • Release date:
    06/16/2025