CVE-2024-43445
Description
A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended.
This issue affects:
- OTRS 7.0.X
- OTRS 8.0.X
- OTRS 2023.X
- OTRS 2024.X
- ((OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OTRS and ((OTRS Community Edition)) fail to set the X-Content-Type-Options: nosniff header, allowing MIME type sniffing by an attacker.
What is the vulnerability?
CVE-2024-43445 is a missing security header vulnerability in OTRS and ((OTRS Community Edition)). The application fails to set the X-Content-Type-Options HTTP response header to nosniff. This header is designed to prevent browsers from interpreting files as a different MIME type than what the server declares. Its absence means the browser may perform MIME type sniffing, potentially treating user-uploaded or injected content as executable code, such as HTML or JavaScript, when the server intended it to be a benign type like plain text or an image. This issue is classified under CWE-20: Improper Input Validation [1].
How is it exploited?
An attacker can exploit this vulnerability by uploading or inserting content (e.g., via file upload functionality or user-editable fields) that, when served by the server without the nosniff header, the browser may interpret as a different, more dangerous MIME type. The attack requires user interaction (UI:R) and can be performed over the network (AV:N) without authentication (PR:N). The attacker does not need to be on the same network segment. The vulnerability affects multiple product lines: OTRS 7.0.x, 8.0.x, 2023.x, 2024.x, and ((OTRS Community Edition)) 6.0.x. Products based on the Community Edition are also likely affected [1].
Impact
A successful exploitation can lead to partial loss of confidentiality and integrity (C:L, I:L). The attacker may be able to execute client-side attacks such as cross-site scripting (XSS) or other content injection attacks in the context of the victim's browser session. This could result in information disclosure or unauthorized actions being performed on the OTRS system on behalf of the victim. The CVSS v3.1 base score is 5.4 (Medium) [1].
Mitigation
The vulnerability is fixed in OTRS version 2025.1.x. Users of OTRS 7.0.x and 8.0.x should note that no patches will be released for those branches, as they have reached end-of-life. The recommended action is to upgrade to the latest supported version. For ((OTRS Community Edition)) 6.0.x, the default status is affected, and users should apply the latest patches or upgrade. The advisory credits Alissa Kim for reporting the issue [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.