Lucene search
+L

770 matches found

redhatcve
redhatcve
added 2025/05/22 4:4 p.m.6 views

CVE-2020-10105

An issue was discovered in Zammad 3.0 through 3.2. It returns source code of static resources when submitting an OPTIONS request, rather than a GET request. Disclosure of source code allows for an attacker to formulate more precise attacks. Source code was disclosed for the file 404.html...

5.3CVSS7AI score0.00901EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 3:57 p.m.5 views

CVE-2020-29158

An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view...

4.3CVSS7AI score0.00672EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 3:28 p.m.9 views

CVE-2020-29159

An issue was discovered in Zammad before 3.5.1. The default signup Role for newly created Users can be a privileged Role, if configured by an admin. This behvaior was unintended...

4.9CVSS6.8AI score0.00918EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 3:23 p.m.11 views

CVE-2020-26030

An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users...

9.8CVSS6.9AI score0.01334EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 3:23 p.m.9 views

CVE-2020-26032

An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may le...

7.5CVSS6.5AI score0.01066EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 3:23 p.m.7 views

CVE-2020-26034

An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as...

4.3CVSS6.8AI score0.0072EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 3:9 p.m.10 views

CVE-2020-10101

An issue was discovered in Zammad 3.0 through 3.2. The WebSocket server crashes when messages in non-JSON format are sent by an attacker. The message format is not properly checked and parsing errors not handled. This leads to a crash of the service process...

7.5CVSS6.8AI score0.01091EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/22 7:42 a.m.8 views

CVE-2019-1010018

Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting XSS - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3...

6.1CVSS6.2AI score0.01257EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/04/07 12:21 a.m.26 views

CVE-2025-32359

In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not wh...

8.8CVSS7.3AI score0.00273EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/04/07 12:20 a.m.22 views

CVE-2025-32360

In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information...

8.1CVSS6.5AI score0.00232EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/04/07 12:20 a.m.32 views

CVE-2025-32357

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for...

4.3CVSS6.7AI score0.00247EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/04/07 12:18 a.m.25 views

CVE-2025-32358

In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This coul...

4.1CVSS6.6AI score0.00256EPSS
Exploits0References1
nvd
nvd
added 2025/04/05 9:15 p.m.33 views

CVE-2025-32358

In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This coul...

4.1CVSS0.00256EPSS
Exploits0References1
nvd
nvd
added 2025/04/05 9:15 p.m.34 views

CVE-2025-32360

In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information...

8.1CVSS0.00232EPSS
Exploits0References1
nvd
nvd
added 2025/04/05 9:15 p.m.27 views

CVE-2025-32359

In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not wh...

8.8CVSS0.00273EPSS
Exploits0References1
nvd
nvd
added 2025/04/05 9:15 p.m.17 views

CVE-2025-32357

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for...

4.3CVSS0.00247EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2025/04/05 12:0 a.m.5 views

PT-2025-15070 · Zammad · Zammad

Name of the Vulnerable Software and Affected Versions: Zammad versions 6.4.0 through 6.4.1 Description: The issue allows an authenticated agent with knowledge base permissions to use the Zammad API to fetch knowledge base content that they have no permission for. Recommendations: For versions 6.4...

4.3CVSS6.3AI score0.00247EPSS
Exploits0References7
cve
cve
added 2025/04/05 12:0 a.m.112 views

CVE-2025-32360

CVE-2025-32360 affects Zammad 6.4.x before 6.4.2, with information exposure allowing a logged-in customer to view details of shared article drafts for their tickets in the browser console and to manipulate them via the API. Root cause: exposure of draft details intended only for agents. Impact: p...

8.1CVSS6.5AI score0.00232EPSS
Exploits0References1Affected Software1
cnnvd
cnnvd
added 2025/04/05 12:0 a.m.5 views

Zammad 安全漏洞

Zammad is a suite of ticket management software from the German company Zammad. A security vulnerability exists in Zammad versions prior to 6.4.2, which stems from client-side enforcement of server-side security and could lead to bypassing a two-factor authentication configuration...

8.8CVSS6.7AI score0.00273EPSS
Exploits0References2
cnnvd
cnnvd
added 2025/04/05 12:0 a.m.4 views

Zammad 安全漏洞

Zammad is a suite of ticket management software from the German company Zammad. A security vulnerability exists in Zammad versions prior to 6.4.2, which stems from a server-side request forgery that could result in a GET request in the local network...

4.1CVSS6.3AI score0.00256EPSS
Exploits0References2
Rows per page
Query Builder