SECURITY ADVISORY
- PUBLISHING DATE:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSION:
- September 25, 2025
- Security Patch Release
- MEDIUM
- OTOBO 10.1
Description
- [Security | high] Fix for potential privilege escalation via
backup.pl
We have closed a potential security vulnerability which – only on systems configured to allowbackup.plto be executed with root permissions by any user (e.g. through modifications in the sudoers file) – potentially enabled a command injection. This could allow standard users on the OTOBO server to execute arbitrary commands with root privileges.
Standard installations are not affected.
Thanks to Diego Berger Tellaroli for reporting this issue! [#4619]
- [Security | medium] Incorrect group assignment with LDAP-Sync and Nested Group Search
We fixed an issue where users were assigned too many groups when LDAP-Sync was used with the NestedGroupSearchoption enabled in theConfig.pm. The cause was a bug that always inherited nested groups to users who were already assigned to the parent group.
Only installations that authenticate agents via LDAP, use the LDAP-Sync module, and have NestedGroupSearch enabled were affected.
Standard systems without this configuration are not affected.
Thanks to our partner FREICON for reporting this! [#4695]
Changes
- [Change] Docker: Upgraded the Perl base image to
5.38-bookworm. [#4512]
Bug Fixes
- [Bugfix] System Configuration: Fixed an issue where saving a setting as a favorite did not work. [#4130]
- [Bugfix] AgentTicketActionCommon: Fixed a bug where the type update did not respect current parameters when saving. [#4359]
- [Bugfix] Article handling: The article table is now properly tidied up if article creation fails midway. [#4596]
- [Bugfix] OpenID Connect: Corrected login form behavior and improved misleading error messages shown after a browser restart. [#4393]
- [Bugfix] DynamicField Webservice: Fixed a bug affecting the proper handling of DynamicField webservices. [#3446]
Next steps
Update to OTOBO 10.1.15
We recommend that you fix the vulnerabilities and benefit from the latest improvements. Please update your system.
Security patch? System update?
No need to handle it alone.
As a support customer, just reach out via our portal or give us a quick call – we’re here to help.
Haven’t worked with us yet? Maybe now’s the perfect time. We’ll be happy to support your next update. Just get in touch – we’d love to hear from you!
Company
OTOBO | Simplify work and create exceptional service experiences.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
