CVE-2023-38060: 
Linux Debian vulnerability analysis and mitigation

An Improper Input Validation vulnerability (CVE-2023-38060) was discovered in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules. The vulnerability affects OTRS versions 7.0.X before 7.0.45, 8.0.X before 8.0.35, and ((OTRS)) Community Edition versions 6.0.1 through 6.0.34. The vulnerability was disclosed on July 24, 2023 (OTRS Advisory).

The vulnerability is classified as CWE-20 (Improper Input Validation) and has a CVSS v3.1 base score of 6.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L according to OTRS AG. However, NVD rates it higher with a CVSS score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows any authenticated attacker to perform a host header injection for the ContentType header of the attachment. This can potentially lead to cache poisoning attacks (CAPEC-141) (OTRS Advisory).

The vulnerability has been fixed in OTRS versions 7.0.45 and 8.0.35. Users are recommended to update to these versions to mitigate the vulnerability (OTRS Advisory).

The vulnerability was discovered and reported by security researcher Tim Püttmanns. It has been acknowledged in multiple security advisories and has received patches in various distributions including Debian (Debian Advisory).