Security Advisory

ZAA-2021-19

· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

Security Advisory Details

  • ID: ZAA-2021-19
  • Date: 10/08/2021
  • Title: Ticket overview shows Tickets for which no permissions are available
  • Severity: low
  • Product: Zammad 5.0.0
  • Fixed in: Zammad 5.0.1
  • References:
    --> CVE: CVE-2021-42137

Vulnerability Descriptions

Ticket overview shows Tickets for which no permissions are available

Zammad comes with the functionality to list Tickets in overviews. Only Tickets are shown for which the current User has permissions. Because of incorrect access control it was possible to see Tickets of the same Organization if the Organization is marked as shared. However, it was not possible to open the Ticket but only to see the meta information like title, state etc.

Special 🙏 and 🤘 and ❤️ to:

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

Additional information

Online version of this advisory: https://zammad.com/en/advisories/zaa-2021-19

Send all remarks to security issues to security@zammad.com.

Signup
Together we turn your customers into fans.
Start free trial!