First published: Tue Jun 16 2020(Updated: )
Zammad before 3.3.1, when Domain Based Assignment is enabled, relies on a claimed e-mail address for authorization decisions. An attacker can register a new account that will have access to all tickets of an arbitrary Organization.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zammad Zammad | <3.3.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-14214 is a vulnerability in Zammad that allows an attacker to register a new account and gain access to all tickets of an arbitrary organization.
CVE-2020-14214 affects Zammad versions up to and including 3.3.1 when Domain Based Assignment is enabled.
CVE-2020-14214 has a severity rating of 6.5 (Medium).
An attacker can exploit CVE-2020-14214 by registering a new account with a claimed email address to gain unauthorized access to all tickets of an arbitrary organization.
Yes, the vulnerability has been fixed in Zammad version 3.3.2 and later.