An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.
CVSS Score
7.2
EPSS Score
0.011
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.
CVSS Score
9.8
EPSS Score
0.029
Published
2021-10-07
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.
CVSS Score
4.3
EPSS Score
0.004
Published
2021-06-28
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-06-28
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-06-28
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-28
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-28
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-06-28
An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.
CVSS Score
4.9
EPSS Score
0.003
Published
2020-12-28
An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-12-28