CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-43445: Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing

5.4 CVSS

Description

A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended.

This issue affects:

* OTRS 7.0.X

* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X

* ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Classification

CVE ID: CVE-2024-43445

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

Affected Products

Vendor: OTRS AG

Product: OTRS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-25 (when was this score calculated)

References

https://otrs.com/release-notes/otrs-security-advisory-2025-01/

Timeline

2025-01-28 00:30:21 UTC
CVE

Missing X-Content-Type-Options: nosniff Header Allows MIME Type Sniffing