Spoofing of From field in several screens
Description
An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper parameter control in OTRS allows authenticated agents to spoof the From field in ticket compose, forward, bounce, and email outbound screens.
Vulnerability
An improper control of parameters in OTRS enables the spoofing of the From field in the AgentTicketCompose, AgentTicketForward, AgentTicketBounce, and AgentTicketEmailOutbound screens. This issue affects ((OTRS)) Community Edition 5.0.x up to version 5.0.39, 6.0.x up to version 6.0.24, and OTRS 7.0.x up to version 7.0.13 [1]. The vulnerability is present when an agent accesses these screens and the application fails to properly validate or sanitize the From field parameters.
Exploitation
An attacker must be an authenticated agent with network access to the OTRS web interface and the ability to interact with the affected screens (user interaction is required). The attacker can manipulate the parameters controlling the From field, for example by crafting a malicious request or modifying form data, to set an arbitrary email address as the sender. No special privileges beyond the standard agent role are needed, and the attack can be performed remotely over the network [1].
Impact
Successful exploitation allows the attacker to send emails from the OTRS system with a spoofed From address. This can be used for phishing, impersonation of other users or external parties, or to bypass email-based trust mechanisms. The impact is limited to integrity (low), as the attacker cannot read or modify other data, and no confidentiality or availability compromise occurs. The CVSS v3.1 score is 3.5 (LOW) [1].
Mitigation
The vulnerability is fixed in OTRS 7.0.14, ((OTRS)) Community Edition 6.0.25, and ((OTRS)) Community Edition 5.0.40, released on 2020-01-10 [1]. Patches are available via the official OTRS GitHub repository for Community Edition 6 and 5. No workarounds are documented, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Users should upgrade to the patched versions immediately.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: <=6.0.24
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- OTRS AG/((OTRS)) Community Editionv5Range: 5.0.x version 5.0.39 and prior versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2020/01/msg00027.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- otrs.com/release-notes/otrs-security-advisory-2020-01/mitre
News mentions
0No linked articles in our index yet.