First published: Mon Dec 28 2020(Updated: )
An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zammad Zammad | >=1.0.0<3.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-26034 is an account-enumeration issue discovered in Zammad before 3.4.1.
The severity of CVE-2020-26034 is medium with a CVSS score of 4.3.
CVE-2020-26034 affects Zammad versions before 3.4.1.
An anonymous user can exploit CVE-2020-26034 by guessing valid user email addresses and observing the application's response.
Yes, the fix for CVE-2020-26034 is available in Zammad version 3.4.1.