Latest zammad zammad Vulnerabilities

CVE-2023-50453
An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as ...
Zammad Zammad=6.1.0
Zammad Zammad=6.1.0-alpha
Zammad Zammad=6.2.0-alpha
CVE-2023-50454
An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. T...
Zammad Zammad=6.1.0
Zammad Zammad=6.1.0-alpha
Zammad Zammad=6.2.0-alpha
CVE-2023-50457
An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions.
Zammad Zammad=6.1.0
Zammad Zammad=6.1.0-alpha
Zammad Zammad=6.2.0-alpha
CVE-2023-50455
An issue was discovered in Zammad before 6.2.0. Due to lack of rate limiting in the "email address verification" feature, an attacker could send many requests for a known address to cause Denial Of Se...
Zammad Zammad=6.1.0
Zammad Zammad=6.1.0-alpha
Zammad Zammad=6.2.0-alpha
CVE-2023-50456
An issue was discovered in Zammad before 6.2.0. An attacker can trigger phishing links in generated notification emails via a crafted first or last name.
Zammad Zammad=6.1.0
Zammad Zammad=6.1.0-alpha
Zammad Zammad=6.2.0-alpha
CVE-2023-31597
An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access t...
Zammad Zammad<5.4.1
CVE-2023-29868
Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have cus...
Zammad Zammad>=5.3.0<5.4.0
CVE-2023-29867
Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API.
Zammad Zammad>=5.3.0<5.4.0
CVE-2022-48023
Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so ...
Zammad Zammad=5.3.0
CVE-2022-48022
An issue in the component /api/v1/mentions of Zammad v5.3.0 allows authenticated attackers with agent permissions to view information about tickets they are not authorized to see.
Zammad Zammad=5.3.0
CVE-2022-40817
Zammad 5.2.1 has a fine-grained permission model that allows to configure read-only access to tickets. However, agents were still wrongly able to perform some operations on such tickets, like adding a...
Zammad Zammad>=5.2.0<5.2.2
CVE-2022-40816
Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic wa...
Zammad Zammad>=5.2.0<5.2.2
CVE-2022-35488
In Zammad 5.2.0, an attacker could manipulate the rate limiting in the 'forgot password' feature of Zammad, and thereby send many requests for a known account to cause Denial Of Service by many genera...
Zammad Zammad=5.2.0
Zammad Zammad=5.2.0-alpha
CVE-2022-35489
In Zammad 5.2.0, customers who have secondary organizations assigned were able to see all organizations of the system rather than only those to which they are assigned.
Zammad Zammad=5.2.0
Zammad Zammad=5.2.0-alpha
CVE-2022-35487
Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access t...
Zammad Zammad=5.2.0
Zammad Zammad=5.2.0-alpha
CVE-2022-35490
Zammad 5.2.0 is vulnerable to privilege escalation. Zammad has a prevention against brute-force attacks trying to guess login credentials. After a configurable amount of attempts, users are invalidate...
Zammad Zammad=5.2.0
Zammad Zammad=5.2.0-alpha
CVE-2022-29701
A lack of rate limiting in the 'forgot password' feature of Zammad v5.1.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a possible Denial of Service ...
Zammad Zammad=5.1.0
CVE-2022-27332
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a D...
Zammad Zammad<5.1.0
CVE-2022-27331
An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authent...
Zammad Zammad<5.1.0
CVE-2022-29700
A lack of password length restriction in Zammad v5.1.0 allows for the creation of extremely long passwords which can cause a Denial of Service (DoS) during password verification.
Zammad Zammad=5.1.0
CVE-2021-44886
In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifi...
Zammad Zammad=5.0.2
CVE-2021-43145
With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.
Zammad Zammad=5.0.1
CVE-2021-42137
An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc.
Zammad Zammad<5.0.1
CVE-2021-42086
An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request.
Zammad Zammad<4.1.1
CVE-2021-42085
An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar.
Zammad Zammad<4.1.1
CVE-2021-42089
An issue was discovered in Zammad before 4.1.1. The REST API discloses sensitive information.
Zammad Zammad<4.1.1
CVE-2021-42087
An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API.
Zammad Zammad<4.1.1
CVE-2021-42088
An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled.
Zammad Zammad<4.1.1
CVE-2021-42090
An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled.
Zammad Zammad<4.1.1
CVE-2021-42091
An issue was discovered in Zammad before 4.1.1. SSRF can occur via GitHub or GitLab integration.
Zammad Zammad<4.1.1
CVE-2021-42092
An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket.
Zammad Zammad<4.1.1
CVE-2021-42094
An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.
Zammad Zammad<4.1.1
CVE-2021-42093
An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.
Zammad Zammad<4.1.1
CVE-2021-35303
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.
Zammad Zammad>=1.0.0<=4.0.0
CVE-2021-35301
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
Zammad Zammad>=1.0.0<=4.0.0
CVE-2021-35300
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.
Zammad Zammad>=1.0.0<=4.0.0
CVE-2021-35302
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.
Zammad Zammad>=1.0.0<=4.0.0
CVE-2021-35299
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing.
Zammad Zammad>=1.0.0<=4.0.0
CVE-2021-35298
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information.
Zammad Zammad>=1.0.0<=4.0.0
CVE-2020-29160
An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing.
Zammad Zammad<3.5.1
CVE-2020-26028
An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-26035
An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket.
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-26030
An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated...
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-26032
An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can us...
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-26033
An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-29159
An issue was discovered in Zammad before 3.5.1. The default signup Role (for newly created Users) can be a privileged Role, if configured by an admin. This behvaior was unintended.
Zammad Zammad<3.5.1
CVE-2020-29158
An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view.
Zammad Zammad<3.5.1
CVE-2020-26031
An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions).
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-26034
An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The a...
Zammad Zammad>=1.0.0<3.4.1
CVE-2020-14213
In Zammad before 3.3.1, a Customer has ticket access that should only be available to an Agent (e.g., read internal data, split, or merge).
Zammad Zammad<3.3.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203