Zammad: Security Vulnerabilities
With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.
CVSS Score
8.1
EPSS Score
0.004
Published
2022-02-04
In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-04
An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-10-11
An issue was discovered in Zammad before 4.1.1. An attacker with valid agent credentials may send a series of crafted requests that cause an endless loop and thus cause denial of service.
CVSS Score
6.5
EPSS Score
0.004
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API.
CVSS Score
4.9
EPSS Score
0.003
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. The Chat functionality allows XSS because clipboard data is mishandled.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. The REST API discloses sensitive information.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-10-07
An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled.
CVSS Score
9.8
EPSS Score
0.049
Published
2021-10-07