Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://zammad.com/de/advisories/zaa-2022-09 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2022-09-27T15:27:48
Updated: 2024-08-03T12:28:42.630Z
Reserved: 2022-09-19T00:00:00
Link: CVE-2022-40816
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-09-27T23:15:16.483
Modified: 2024-11-21T07:22:05.080
Link: CVE-2022-40816
Redhat
No data.