An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-12
An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-08
An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-05-08
Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-10-11
Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.
CVSS Score
7.5
EPSS Score
0.005
Published
2024-10-11
An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.
CVSS Score
9.8
EPSS Score
0.006
Published
2024-04-29