CVE-2024-43445

Name of the Vulnerable Software and Affected Versions OTRS versions 6.0.x through 8.0.x OTRS versions 2023.x through 2024.x OTRS Community Edition version 6.0.x

Description The issue is related to the incorrect handling of HTTP request headers due to insufficient input validation, which may allow a remote attacker to upload arbitrary files. This vulnerability can be exploited by uploading or inserting content that would be treated as a different MIME type than intended, as the HTTP response header X-Content-Type-Options is not set to nosniff.

Recommendations For OTRS versions 6.0.x through 8.0.x, consider setting the HTTP response header X-Content-Type-Options to nosniff to prevent MIME type confusion. For OTRS versions 2023.x through 2024.x, set the HTTP response header X-Content-Type-Options to nosniff to mitigate the risk of exploitation. For OTRS Community Edition version 6.0.x, apply the same mitigation as for the standard OTRS versions by setting the X-Content-Type-Options header to nosniff.