Autocomplete in the form login screens
Description
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Login screens in OTRS and Community Edition have autocomplete enabled on username and password fields, a low-severity information disclosure risk.
Vulnerability
The login screens for both agent and customer interfaces in ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions, and OTRS 7.0.15 and prior versions have the autocomplete attribute enabled on the Username and Password fields [1]. This allows browsers to store entered credentials, which can be retrieved by an attacker with local access to the user's computer or via cross-site scripting in other contexts.
Exploitation
An attacker would need to have physical or remote access to the victim's browser storage or the ability to execute JavaScript in the same browser context (e.g., through a separate XSS). No authentication is needed to reach the login screen; the attack relies on the user's browser having previously saved credentials through autocomplete. The attacker can then extract the stored values from the browser's password manager.
Impact
If successful, the attacker gains the username and password for the OTRS system (agent or customer interface). This represents a low-level confidentiality impact (C:L), as only credential disclosure is possible; the attacker must separately gain access to the browser environment [1].
Mitigation
Upgrade to the fixed versions: OTRS 7.0.16, ((OTRS)) Community Edition 6.0.27, or ((OTRS)) Community Edition 5.0.42 [1]. Patches are available via the referenced commits [1]. No workaround is documented; disabling autocomplete in the login form is the recommended fix.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: <=5.0.41 and <=6.0.26
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- OTRS AG/((OTRS)) Community Editionv5Range: 5.0.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- otrs.com/release-notes/otrs-security-advisory-2020-06/mitre
News mentions
0No linked articles in our index yet.