An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled.
CVSS Score
9.8
EPSS Score
0.049
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. SSRF can occur via GitHub or GitLab integration.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.
CVSS Score
7.2
EPSS Score
0.011
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.
CVSS Score
9.8
EPSS Score
0.032
Published
2021-10-07
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-06-28
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-06-28
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-06-28
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-06-28
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-06-28