{"id":"CVE-2023-38060","details":"Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows  any authenticated attacker to  to perform an host header injection for the ContentType header of the attachment. \n\n\nThis issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.","modified":"2026-03-14T12:08:11.549502Z","published":"2023-07-24T09:15:10.073Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"},{"type":"ADVISORY","url":"https://otrs.com/release-notes/otrs-security-advisory-2023-04/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38060.json","unresolved_ranges":[{"events":[{"introduced":"6.0.1"},{"last_affected":"6.0.34"}]},{"events":[{"introduced":"7.0.0"},{"fixed":"7.0.45"}]},{"events":[{"introduced":"8.0.0"},{"fixed":"8.0.35"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}