RSS   Vulnerabilities for 'Zammad'   RSS

2023-12-10
 
CVE-2023-50453

CWE-noinfo
 

 
An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public.

 
 
CVE-2023-50454

CWE-295
 

 
An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers.

 
 
CVE-2023-50455

CWE-770
 

 
An issue was discovered in Zammad before 6.2.0. Due to lack of rate limiting in the "email address verification" feature, an attacker could send many requests for a known address to cause Denial Of Service (generation of many emails, which would also spam the victim).

 
 
CVE-2023-50456

CWE-noinfo
 

 
An issue was discovered in Zammad before 6.2.0. An attacker can trigger phishing links in generated notification emails via a crafted first or last name.

 
 
CVE-2023-50457

CWE-863
 

 
An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions.

 
2022-02-04
 
CVE-2021-43145

CWE-863
 

 
With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.

 
 
CVE-2021-44886

CWE-668
 

 
In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to.

 
2021-10-11
 
CVE-2021-42137

CWE-269
 

 
An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc.

 
2021-10-07
 
CVE-2021-42092

CWE-79
 

 
An issue was discovered in Zammad before 4.1.1. Stored XSS may occur via an Article during addition of an attachment to a Ticket.

 
 
CVE-2021-42093

NVD-CWE-noinfo
 

 
An issue was discovered in Zammad before 4.1.1. An admin can execute code on the server via a crafted request that manipulates triggers.

 


Copyright 2024, cxsecurity.com

 

Back to Top