SECURITY ADVISORY

OTOBO 10.1.17 – Security Patch

[Security] Updated Compress::Raw::Zlib to address CVE-2026-3381 in Docker environments – The dependency Compress::Raw::Zlib has been updated to close a vulnerability that could affect Docker-based OTOBO installations. Non-Docker systems are generally not affected. [#5269 ]
[Security] Updated Mozilla::CA – The optional dependency Mozilla::CA, suggested as default configuration in several places, has been updated to the latest version to keep the certificate store current. [#5245]
[Security] CVE-2025-59490: Fixed XSS vulnerabilities – We closed cross-site scripting (XSS) vulnerabilities allowing attackers to execute malicious code in users’ browsers after those clicking on malicious links. All users are strongly advised to update to this version. [#5358, #5419]
[Security] CVE-2025-59393: Improved password masking in the Support Bundle generator – Passwords and sensitive credentials are now more reliably redacted when generating a support bundle, preventing accidental exposure of access data. [#5376 ]
[Security] Removed stack traces from frontend error messages – Stack traces are no longer exposed in frontend error messages, as they could reveal internal system information and potentially serve as an attack vector. [#5359 ]

[Enhancement] Display of Perl DBI database driver information in support data – Support data now includes detailed information about the Perl DBI database driver in use, making troubleshooting and the support process easier. [#5104]
[Enhancement] Added otobo-web/static URL for serving static files – Static files can now be served via the dedicated URL otobo-web/static, enabling a more flexible and performant web server configuration. [#5342]
[Enhancement] New console command Maint::Elasticsearch::TestConnection – The new console command allows the connection to Elasticsearch to be tested directly from the command line, simplifying administration and troubleshooting of Elasticsearch integrations. [#5340]

[Bugfix] Broken links to external icons and data leak – Broken links to external icons have been fixed and an associated data leak has been closed. [#5212]
[Bugfix] Queue set via URL did not correctly trigger ACLs in CustomerTicketMessage – When a queue was set via a URL parameter, associated ACLs were not reliably applied in the CustomerTicketMessage area. This issue has been fixed. [#5237]
[Bugfix] Agent name missing in system configuration setting history – The name of the person who made a change was not displayed in the change history of system configuration settings. This issue has been fixed. [#5071]
[Bugfix] Elasticsearch index tmpattachments was not managed by OTOBO – The Elasticsearch index tmpattachments was previously not managed by OTOBO, which could lead to inconsistencies. This has been corrected so that the index is now fully within OTOBO’s management scope. [#4326]

We recommend that you fix the vulnerabilities and benefit from the latest improvements. Please update your system.

A comprehensive overview of all present and past changes.

As a support customer, just reach out via our portal or give us a quick call – we’re here to help.

Haven’t worked with us yet? Maybe now’s the perfect time. We’ll be happy to support your next update. Just get in touch – we’d love to hear from you!