arrow-rightautosavechatcheckmarkclosedashboardfieldsfingerprintflashhamburgerlanguagelistlocklogotypemigrateoverviewsphonerocketsearchsmileystampstarstopwatchteamtwitter

Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send information regarding vulnerabilities in Zammad to: security at zammad.com

Security Advisory Details

Vulnerability Descriptions

1 - XSS vulnerability (CVE-2017-5621)

Malicious HTML send via REST or WebSocket API (e. g. for article or chat messages) lead to execution in the application domain causing a XSS vulnerability. Zammad did not properly sanitizes user input in chat messages or ticket article contents. This is now fixed with a dedicated functionality preventing this issue in all upcoming chat messages and ticket article contents.

Special 🙏 and 🤘 and ❤️ to:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de

N: BenBE / Benny Baumann
D: IT Security & OpenSource Developer
W: https://github.com/benbe

N: raphaelm / Raphael Michel
D: Software Developer
W: https://github.com/raphaelm / https://raphaelmichel.de

N: frank_zabel / Johannes Nickel

2 - Attachments in new tab (CVE-2017-5620)

Attachments are opened in a new tab instead of getting downloaded. This creates an attack vector of executing malicious HTML in the domain of the Zammad application. This is now fixed for all attachments. Attachments will get downloaded instead of shown in a browser tab which loses the Zammad application domain scope.

Special 🙏 and 🤘 and ❤️ to:

N: LukasReschke / Lukas Reschke
D: Security Researcher
W: https://github.com/LukasReschke

3 - Login with hashed password itself (CVE-2017-5619)

Attackers can login with the hashed password itself (e.g. from the DB) instead of the valid password string. This is only critical if an attacker already gained access to your user database. The old plain password functioanlity is now removed and disabled completely. Additionally the password encrytion was improved form SHA2 (without a salt) to Argon2. Argon2 is the official winner of the Password Hashing Competition.

Special 🙏 and 🤘 and ❤️ to:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de

N: BenBE / Benny Baumann
D: IT Security & OpenSource Developer
W: https://github.com/benbe

N: raphaelm / Raphael Michel
D: Software Developer
W: https://github.com/raphaelm / https://raphaelmichel.de

4 - Missing CSRF Token (CVE-2017-6081)

Attackers can send cross domain POST/PUT/DELETE/PATCH requests via JavaScript in the name of a Zammad user with a valid session due to missing CSRF tokens. This can be used to send blind payloads to the whole Zammad REST API performing write actions with the privileges of the attacked user.

Special 🙏 and 🤘 and ❤️ to:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de

5 - Unsafe Access Control Headers (CVE-2017-6080)

Attackers can send cross domain requests and receive the result via JavaScript in the name of a Zammad user with a valid session due to missing HTTP Access-Control header restrictions. This can be used to access the whole Zammad REST API with the privileges of the attacked user.

Special 🙏 and 🤘 and ❤️ to:

N: nomoketo / Nicole Klünder
D: Software- & Webdeveloperin
W: https://github.com/nomoketo / https://nomoketo.de

N: raphaelm / Raphael Michel
D: Softwaredeveloper & Hacker
W: https://github.com/raphaelm / https://www.raphaelmichel.de/

Recommended Resolution

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

Or just update your Zammad if installed via OS package manager.

Additional information

Online version of this advisory: https://zammad.com/de/news/security-advisory-zaa-2017-01

Send all remarks to security issues to security @ zammad.com.