Security Advisory
ZAA-2021-19
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2021-19
- Date: 10/08/2021
- Title: Ticket overview shows Tickets for which no permissions are available
- Severity: low
- Product: Zammad 5.0.0
- Fixed in: Zammad 5.0.1
- References:
--> CVE: CVE-2021-42137
Vulnerability Descriptions
Ticket overview shows Tickets for which no permissions are available
Zammad comes with the functionality to list Tickets in overviews. Only Tickets are shown for which the current User has permissions. Because of incorrect access control it was possible to see Tickets of the same Organization if the Organization is marked as shared. However, it was not possible to open the Ticket but only to see the meta information like title, state etc.
Special 🙏 and 🤘 and ❤️ to:
- C: Telemar Electronics GmbH
- W: https://www.telemar.de/
Recommended Resolution
This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.
Fixed releases can be found at:
- https://zammad.org/
- https://ftp.zammad.com/
Or just update your Zammad if installed via OS package manager.
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2021-19
Send all remarks to security issues to security@zammad.com.