Security Advisory


· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

Security Advisory Details

  • ID: ZAA-2020-08
  • Date: 03/03/2020
  • Title: Information Disclosure in HTTP Headers of default config example
  • Severity: low
  • Product: Zammad 1.0.x up to 3.2.0
  • Fixed in: Zammad 3.2.1, 3.3.0
  • References:
    --> CVE: pending

Vulnerability Descriptions

Information Disclosure in HTTP Headers of default config example (CVE pending)

HTTP response headers from the Zammad application include the type and version of the web server software deployed for the system. An attacker could use this information to find public vulnerabilities and target attacks against specific types and versions of the server.

It is also possible to determine the exact version of the NginX/Apache2 used by the application from the HTTP response headers that were configured with the example/default configuration.

Special 🙏 and 🤘 and ❤️ to:

Existing Webserver/Reverse Proxies installations can't be updated automatically. Therefore manual action is required.

Additional information

Online version of this advisory:

Send all remarks to security issues to

Together we turn your customers into fans.
Start free trial!
All releases and news directly in your inbox.
Subscribe to the newsletter