Security Release

Zammad 6.4.2

ยท This release includes important security patches. Please read the release notes carefully and update your Zammad system as soon as possible.

Server Side Request Forgery

Authenticated administrators can configure webhooks that send POST requests when specific conditions are met. If a webhook endpoint responds with a redirect, Zammad would automatically follow up with a GET request. This behavior could be exploited by attackers to initiate GET requests to internal network resources. This vulnerability has now been addressed.

๐Ÿ“– For more details, please refer to the Security Advisory ZAA-2025-01.

Incorrect Access Control

When changing their two-factor authentication configuration, users must re-authenticate using their current password. Previously, this was enforced only on the frontend and not validated via the API. This security gap has since been closed.

๐Ÿ“– For more details, please refer to the Security Advisory ZAA-2025-02.

Incorrect Access Control to Article Drafts

Shared article drafts are meant to be visible only to agents. However, logged-in customers were able to see and manipulate draft information for their tickets via the browser console and API. This unintended access has been blocked.

๐Ÿ“– For more details, please refer to the Security Advisory ZAA-2025-03.

Incorrect Access Control

An agent with general knowledge base permissions was previously able to fetch content via the API that they were not explicitly authorized to access. The underlying permission checks have now been corrected to enforce proper restrictions.

๐Ÿ“– For more details, please refer to the Security Advisory ZAA-2025-04.

Technical Requirements

Please note that you must meet the following browser requirements to use this version:

  • Chrome: 83
  • Firefox: 78
  • Explorer: 11
  • Safari: 11
  • Opera: 69
  • Edge: 83

Advisories

ZAA-2025-01
ZAA-2025-02
ZAA-2025-03
ZAA-2025-04

Download Zammad 6.4.2

All improvements can be found in the Changelog.

Packages

Source code

Upgrade

Here you can find information on upgrading your Zammad installation:

Signup
Together we turn your customers into fans.
Start free trial!