An issue was discovered in Zammad before 3.5.1. The default signup Role (for newly created Users) can be a privileged Role, if configured by an admin. This behvaior was unintended.
CVSS Score
4.9
EPSS Score
0.003
Published
2020-12-28
An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-12-28
In Zammad before 3.3.1, a Customer has ticket access that should only be available to an Agent (e.g., read internal data, split, or merge).
CVSS Score
5.4
EPSS Score
0.001
Published
2020-06-16
Zammad before 3.3.1, when Domain Based Assignment is enabled, relies on a claimed e-mail address for authorization decisions. An attacker can register a new account that will have access to all tickets of an arbitrary Organization.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-06-16
Page 4