Security Advisory
ZAA-2023-08
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2023-08
- Date: 2023-12-06
- Title: Information Disclosure
- Severity: low
- Product: Zammad 6.1.x
- Fixed in: Zammad 6.2.0
- References:
--> CVE-2023-50453
Vulnerability Descriptions
Information Disclosure
Zammad uses the public endpoint /api/v1/signshow for its login screen. This endpoint would return internal configuration data of user object attributes, like selectable values, which should not be visible in public.
Special 🙏 and 🤘 and ❤️ to:
- N: Trinh Vu
- C: VNPT Cyber Immunity Center
- W: https://www.linkedin.com/in/sonicr/
Recommended Resolution
This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.
Fixed releases can be found at:
Or just update your Zammad if installed via OS package manager.
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2023-08
Please send remarks on security issues exclusively to security@zammad.com.