Alissa Kim

**Name of the Vulnerable Software and Affected Versions** OTRS versions prior to 8 OTRS Community Edition version 6.0.x **Description** A vulnerability in the OTRS Admin Interface and Agent Interface allows parameter injection for an authenticated agent or admin user. This issue affects several versions of OTRS, including OTRS 7.0.X, OTRS 8.0.X, OTRS 2023.X, OTRS 2024.X, and OTRS 2025.X. Products based on the OTRS Community Edition are also likely to be affected. **Recommendations** For OTRS versions prior to 8, update to version 8 or later to resolve the issue. For OTRS Community Edition version 6.0.x, consider upgrading to a newer version or applying available patches to mitigate the risk. As a temporary workaround, consider restricting access to the Admin Interface and Agent Interface for authenticated agents and admin users until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OTRS versions 7.0.X through 2025.x **Description** A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This can occur when a request is made to an OTRS endpoint from a possible malicious web site, resulting in the authentication cookie being sent and performing an unwanted read operation. **Recommendations** For OTRS versions 7.0.X through 2025.x, consider restricting access to sensitive cookie settings to minimize the risk of session hijacking until a patch is available. As a temporary workaround, review and adjust the HTTPS session settings to include proper attributes for sensitive cookies.

**Name of the Vulnerable Software and Affected Versions** OTRS versions 7.0.X through 8.0.X OTRS versions 2023.X through 2024.X **Description** The issue is related to a vulnerability in the OTRS Application Server and reverse proxy settings, which allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This can enable a remote attacker to hijack sessions. **Recommendations** For OTRS versions 7.0.X, update the reverse proxy settings to include the necessary attributes for sensitive cookie settings. For OTRS versions 8.0.X, ensure that the HTTPS sessions have the correct attributes set for sensitive cookies. For OTRS versions 2023.X and 2024.X, apply the recommended configuration changes to the reverse proxy settings to mitigate the issue. As a temporary workaround, consider restricting access to sensitive areas of the application until the issue is fully resolved.

**Name of the Vulnerable Software and Affected Versions** OTRS versions 6.0.x through 8.0.x OTRS versions 2023.x through 2024.x OTRS Community Edition version 6.0.x **Description** The issue is related to the incorrect handling of HTTP request headers due to insufficient input validation, which may allow a remote attacker to upload arbitrary files. This vulnerability can be exploited by uploading or inserting content that would be treated as a different MIME type than intended, as the HTTP response header X-Content-Type-Options is not set to nosniff. **Recommendations** For OTRS versions 6.0.x through 8.0.x, consider setting the HTTP response header X-Content-Type-Options to nosniff to prevent MIME type confusion. For OTRS versions 2023.x through 2024.x, set the HTTP response header X-Content-Type-Options to nosniff to mitigate the risk of exploitation. For OTRS Community Edition version 6.0.x, apply the same mitigation as for the standard OTRS versions by setting the X-Content-Type-Options header to nosniff.