Security Advisory

ZAA-2017-01

· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

Security Advisory Details

Vulnerability Descriptions

1 - XSS vulnerability (CVE-2017-5621)

Malicious HTML send via REST or WebSocket API (e. g. for article or chat messages) lead to execution in the application domain causing a XSS vulnerability. Zammad did not properly sanitizes user input in chat messages or ticket article contents. This is now fixed with a dedicated functionality preventing this issue in all upcoming chat messages and ticket article contents.

Special 🙏 and 🤘 and ❤️ to:

2 - Attachments in new tab (CVE-2017-5620)

Attachments are opened in a new tab instead of getting downloaded. This creates an attack vector of executing malicious HTML in the domain of the Zammad application. This is now fixed for all attachments. Attachments will get downloaded instead of shown in a browser tab which loses the Zammad application domain scope.

Special 🙏 and 🤘 and ❤️ to:

3 - Login with hashed password itself (CVE-2017-5619)

Attackers can login with the hashed password itself (e.g. from the DB) instead of the valid password string. This is only critical if an attacker already gained access to your user database. The old plain password functioanlity is now removed and disabled completely. Additionally the password encryption was improved form SHA2 (without a salt) to Argon2. Argon2 is the official winner of the Password Hashing Competition.

Special 🙏 and 🤘 and ❤️ to:

4 - Missing CSRF Token (CVE-2017-6081)

Attackers can send cross domain POST/PUT/DELETE/PATCH requests via JavaScript in the name of a Zammad user with a valid session due to missing CSRF tokens. This can be used to send blind payloads to the whole Zammad REST API performing write actions with the privileges of the attacked user.

Special 🙏 and 🤘 and ❤️ to:

5 - Unsafe Access Control Headers (CVE-2017-6080)

Attackers can send cross domain requests and receive the result via JavaScript in the name of a Zammad user with a valid session due to missing HTTP Access-Control header restrictions. This can be used to access the whole Zammad REST API with the privileges of the attacked user.

Special 🙏 and 🤘 and ❤️ to:

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

Additional information

Online version of this advisory: https://zammad.com/en/advisories/zaa-2017-01

Send all remarks to security issues to security@zammad.com.

Signup
Together we turn your customers into fans.
Start free trial!