Filtered by vendor Zammad
Subscriptions
Filtered by product Zammad
Subscriptions
Total
80 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-42087 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.9 Medium |
| An issue was discovered in Zammad before 4.1.1. An admin can discover the application secret via the API. | ||||
| CVE-2021-42086 | 1 Zammad | 1 Zammad | 2024-11-21 | 8.8 High |
| An issue was discovered in Zammad before 4.1.1. An Agent account can modify account data, and gain admin access, via a crafted request. | ||||
| CVE-2021-42085 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Zammad before 4.1.1. There is stored XSS via a custom Avatar. | ||||
| CVE-2021-42084 | 1 Zammad | 1 Zammad | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Zammad before 4.1.1. An attacker with valid agent credentials may send a series of crafted requests that cause an endless loop and thus cause denial of service. | ||||
| CVE-2021-35303 | 1 Zammad | 1 Zammad | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via the User Avatar attribute. | ||||
| CVE-2021-35302 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.3 Medium |
| Incorrect Access Control for linked Tickets in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information. | ||||
| CVE-2021-35301 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.3 Medium |
| Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows remote attackers to obtain sensitive information via the Ticket Article detail view. | ||||
| CVE-2021-35300 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.3 Medium |
| Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page. | ||||
| CVE-2021-35299 | 1 Zammad | 1 Zammad | 2024-11-21 | 7.5 High |
| Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing. | ||||
| CVE-2021-35298 | 1 Zammad | 1 Zammad | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote attackers to execute arbitrary web script or HTML via multiple models that contain a 'note' field to store additional information. | ||||
| CVE-2020-29160 | 1 Zammad | 1 Zammad | 2024-11-21 | 7.5 High |
| An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing. | ||||
| CVE-2020-29159 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.9 Medium |
| An issue was discovered in Zammad before 3.5.1. The default signup Role (for newly created Users) can be a privileged Role, if configured by an admin. This behvaior was unintended. | ||||
| CVE-2020-29158 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view. | ||||
| CVE-2020-26035 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket. | ||||
| CVE-2020-26034 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.3 Medium |
| An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user. | ||||
| CVE-2020-26033 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check. | ||||
| CVE-2020-26032 | 1 Zammad | 1 Zammad | 2024-11-21 | 7.5 High |
| An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. | ||||
| CVE-2020-26031 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions). | ||||
| CVE-2020-26030 | 1 Zammad | 1 Zammad | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users. | ||||
| CVE-2020-26029 | 1 Zammad | 1 Zammad | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header. | ||||