First published: Thu Mar 05 2020(Updated: )
An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code can be provided by a low-privileged user through the Email functionality. The malicious JavaScript will execute within the browser of any user who opens the Ticket with the Article created from that Email.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zammad Zammad | >=1.0.0<=3.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-10098 is medium (5.4).
CVE-2020-10098 affects Zammad versions 3.0 through 3.2.
CVE-2020-10098 is an XSS (cross-site scripting) vulnerability discovered in Zammad 3.0 through 3.2. It allows a low-privileged user to inject malicious JavaScript code through the Email functionality, which will execute in the browser of any user who opens the Ticket with the Article created from that Email.
CVE-2020-10098 can be exploited by a low-privileged user by providing malicious code through the Email functionality in Zammad.
Yes, a fix is available for CVE-2020-10098. It is recommended to update Zammad to a version beyond 3.2.0.