CVE-2023-38060

Name of the Vulnerable Software and Affected Versions OTRS versions 7.0.X through 7.0.44 OTRS versions 8.0.X through 8.0.34 OTRS Community Edition versions 6.0.1 through 6.0.34

Description The issue is related to an Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules. This allows any authenticated attacker to perform a host header injection for the ContentType header of the attachment.

Recommendations For OTRS versions 7.0.X through 7.0.44, update to version 7.0.45 or later. For OTRS versions 8.0.X through 8.0.34, update to version 8.0.35 or later. For OTRS Community Edition versions 6.0.1 through 6.0.34, update to a version outside of this range or apply a patch if available. As a temporary workaround, consider restricting access to the TicketCreate and TicketUpdate operations of the OTRS Generic Interface modules until a patch is available. Restrict the use of the ContentType parameter for attachments to minimize the risk of exploitation.