An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-05-18
An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-04-27
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS).
CVSS Score
9.1
EPSS Score
0.004
Published
2022-04-27
In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-02-04