An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.
CVSS Score
7.2
EPSS Score
0.011
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.
CVSS Score
9.8
EPSS Score
0.029
Published
2021-10-07
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.
CVSS Score
4.3
EPSS Score
0.004
Published
2021-06-28
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-06-28
Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-06-28
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-28
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-06-28
Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-06-28
An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view.
CVSS Score
4.3
EPSS Score
0.001
Published
2020-12-28
An issue was discovered in Zammad before 3.5.1. The default signup Role (for newly created Users) can be a privileged Role, if configured by an admin. This behvaior was unintended.
CVSS Score
4.9
EPSS Score
0.003
Published
2020-12-28