Filtered by vendor Zammad
Subscriptions
Total
72 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-29700 | 1 Zammad | 1 Zammad | 2024-08-03 | 7.5 High |
A lack of password length restriction in Zammad v5.1.0 allows for the creation of extremely long passwords which can cause a Denial of Service (DoS) during password verification. | ||||
CVE-2022-29701 | 1 Zammad | 1 Zammad | 2024-08-03 | 7.5 High |
A lack of rate limiting in the 'forgot password' feature of Zammad v5.1.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a possible Denial of Service (DoS) via a large amount of generated e-mail messages. | ||||
CVE-2022-27332 | 1 Zammad | 1 Zammad | 2024-08-03 | 9.1 Critical |
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS). | ||||
CVE-2022-27331 | 1 Zammad | 1 Zammad | 2024-08-03 | 4.3 Medium |
An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users. | ||||
CVE-2023-50456 | 1 Zammad | 1 Zammad | 2024-08-02 | 5.3 Medium |
An issue was discovered in Zammad before 6.2.0. An attacker can trigger phishing links in generated notification emails via a crafted first or last name. | ||||
CVE-2023-50454 | 1 Zammad | 1 Zammad | 2024-08-02 | 5.9 Medium |
An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers. | ||||
CVE-2023-50457 | 1 Zammad | 1 Zammad | 2024-08-02 | 4.3 Medium |
An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions. | ||||
CVE-2023-50453 | 1 Zammad | 1 Zammad | 2024-08-02 | 5.3 Medium |
An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public. | ||||
CVE-2023-31597 | 1 Zammad | 1 Zammad | 2024-08-02 | 6.5 Medium |
An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets. | ||||
CVE-2023-29867 | 1 Zammad | 1 Zammad | 2024-08-02 | 6.5 Medium |
Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API. | ||||
CVE-2023-29868 | 1 Zammad | 1 Zammad | 2024-08-02 | 6.5 Medium |
Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have customer permissions. | ||||
CVE-2024-33668 | 1 Zammad | 1 Zammad | 2024-08-02 | 9.1 Critical |
An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. |