CVE-2024-43443
CVE-2024-43443 is a medium-severity vulnerability with a CVSS 3.x base score of 4.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-790.
Key facts
- Severity: Medium (CVSS 3.x base score 4.9)
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-40280
- Weakness: CWE-790
- Published:
- Last modified:
Description
Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Frequently asked questions
- What is CVE-2024-43443?
- Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
- How severe is CVE-2024-43443?
- CVE-2024-43443 has a CVSS 3.x base score of 4.9, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2024-43443 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-43443?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-43443 have an EU (EUVD) identifier?
- Yes. CVE-2024-43443 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-40280.
- When was CVE-2024-43443 published?
- CVE-2024-43443 was published on 2024-08-26 and last updated on 2026-06-17.
References
Other CWE-790 vulnerabilities
- CVE-2023-22578 — Critical (CVSS 10.0): Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
- CVE-2023-45239 — Critical (CVSS 9.8): A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are…
- CVE-2024-31616 — High (CVSS 8.8): An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version…
- CVE-2026-2328 — High (CVSS 7.5): An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their…
- CVE-2025-27260 — High (CVSS 7.5): Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of…
- CVE-2025-0431 — Medium (CVSS 5.8): Enterprise Protection contains a vulnerability in URL rewriting that allows an unauthenticated remote attacker to send…