Spoofing of "From" fields
The "From" field of the following dialogs can be manipulated: AgentTicketCompose, AgentTicketForward, AgentTicketBounce, AgentTicketEmailOutbound
Upgrade to the latest available OTRS patch level (https://ftp.otrs.org/pub/otrs/).
As a workaround, you can replace the affected files (see below for download).
ATTENTION: Please check if any of these files have been changed in your OTRS installation by additional add-ons. In that case you MUST NOT simply overwrite the files with the ones provided below. Please contact us instead.