CVE-2025-24387

Name of the Vulnerable Software and Affected Versions OTRS versions 7.0.X through 2025.x

Description A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This can occur when a request is made to an OTRS endpoint from a possible malicious web site, resulting in the authentication cookie being sent and performing an unwanted read operation.

Recommendations For OTRS versions 7.0.X through 2025.x, consider restricting access to sensitive cookie settings to minimize the risk of session hijacking until a patch is available. As a temporary workaround, review and adjust the HTTPS session settings to include proper attributes for sensitive cookies.