Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OTRS AG — Vulnerabilities & Security Advisories 73

Browse all 73 CVE security advisories affecting OTRS AG. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OTRS AG develops open-source IT service management software, primarily functioning as a ticketing system for enterprise support and incident tracking. The platform’s extensive feature set and long market presence have resulted in a significant historical vulnerability footprint, with 73 Common Vulnerabilities and Exposures currently recorded. Analysis of these flaws reveals a pattern of critical security weaknesses, most notably Remote Code Execution (RCE) and Cross-Site Scripting (XSS), which often stem from insufficient input validation in legacy modules. Additionally, several instances of privilege escalation have been documented, allowing unauthorized users to gain administrative control. While the vendor has implemented regular patching cycles to address these issues, the high volume of past exploits highlights the complexity of securing a mature, feature-rich application. Organizations deploying this solution must prioritize rigorous patch management and strict access controls to mitigate the residual risks associated with its extensive attack surface.

Top products by OTRS AG: OTRS ((OTRS)) Community Edition OTRSCIsInCustomerFrontend OTRSTicketForms Survey FAQ Time Accounting OTRSCustomContactFields
CVE IDTitleCVSSSeverityPublished
CVE-2026-6060 Possible DoS via SQL Box — OTRSCWE-400 4.5 Medium2026-04-20
CVE-2025-24391 Possible user enumeration — OTRSCWE-203 5.3 Medium2025-07-14
CVE-2025-24388 Unsafe handling of AJAX calls — OTRSCWE-184 3.8 Low2025-06-16
CVE-2025-24387 Missing CSRF protection — OTRSCWE-1275 4.8 Medium2025-03-10
CVE-2025-24390 Missing Cookie Flags — OTRSCWE-614 6.8 Medium2025-01-27
CVE-2025-24389 SMTP Password will be shown in cleartext on some SMTP errors — OTRSCWE-532 6.3 Medium2025-01-27
CVE-2024-43446 Improper check of permissions in Generic Interface — OTRSCWE-269 3.5 Low2025-01-27
CVE-2024-43445 Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing — OTRSCWE-20 5.4 Medium2025-01-27
CVE-2024-43444 Passwords are written to Admin Log Module — OTRSCWE-532 8.2 High2024-08-26
CVE-2024-43443 Stored XSS in process management — OTRSCWE-790 4.9 Medium2024-08-26
CVE-2024-43442 Stored XSS in System Configuration — OTRSCWE-790 4.9 Medium2024-08-26
CVE-2024-23794 Agents are able to lock the ticket without the "Owner" permission — OTRSCWE-266 5.2 Medium2024-07-15
CVE-2024-6540 Information exlosure in external interface — OTRSCWE-790 5.7 Medium2024-07-15
CVE-2024-23793 Upload of files outside application directory — OTRSCWE-22 6.3 Medium2024-06-06
CVE-2024-23790 Missing file type check in avatar picture upload — OTRSCWE-20 3.5 Low2024-01-29
CVE-2024-23791 Unnecessary data is written to log if issues during indexing occurs — OTRSCWE-532 4.9 Medium2024-01-29
CVE-2024-23792 Insufficient access control — OTRSCWE-287 5.3 Medium2024-01-29
CVE-2023-6254 Password is send back to client — OTRSCWE-522 8.1 High2023-11-27
CVE-2023-5421 Possible XSS execution in customer information — OTRSCWE-20 3.5 Low2023-10-16
CVE-2023-38059 External pictures can be loaded even if not allowed by configuration — OTRSCWE-200 5.3 Medium2023-10-16
CVE-2023-5422 SSL Certificates are not checked for E-Mail Handling — OTRSCWE-295 8.7 High2023-10-16
CVE-2023-38060 Host header injection by attachments in web service — OTRSCWE-20 6.3 Medium2023-07-24
CVE-2023-38058 Tickets can be moved without permissions — OTRSCWE-269 4.1 Medium2023-07-24
CVE-2023-38057 XSS stored in survey answers — OTRSCWE-20 4.1 Medium2023-07-24
CVE-2023-38056 Code execution via System Configuration — OTRSCWE-78 7.2 High2023-07-24
CVE-2023-2534 Information disclouse and DoS via websocket push events — OTRSCWE-285 7.6 High2023-05-08
CVE-2023-1250 Code execution through ACL creation — OTRSCWE-20 7.4 High2023-03-20
CVE-2023-1248 Possible XSS in Ticket Actions — OTRSCWE-79 6.1 Medium2023-03-20
CVE-2022-4427 SQL Injection via OTRS Search API — OTRSCWE-20 6.5 Medium2022-12-19
CVE-2022-39052 DoS attack using email — OTRSCWE-835 7.5 High2022-10-17

This page lists every published CVE security advisory associated with OTRS AG. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.