Security Release
Zammad 6.4.2
ยท This release includes important security patches. Please read the release notes carefully and update your Zammad system as soon as possible.
Server Side Request Forgery
Authenticated administrators can configure webhooks that send POST requests when specific conditions are met. If a webhook endpoint responds with a redirect, Zammad would automatically follow up with a GET request. This behavior could be exploited by attackers to initiate GET requests to internal network resources. This vulnerability has now been addressed.
๐ For more details, please refer to the Security Advisory ZAA-2025-01.
Incorrect Access Control
When changing their two-factor authentication configuration, users must re-authenticate using their current password. Previously, this was enforced only on the frontend and not validated via the API. This security gap has since been closed.
๐ For more details, please refer to the Security Advisory ZAA-2025-02.
Incorrect Access Control to Article Drafts
Shared article drafts are meant to be visible only to agents. However, logged-in customers were able to see and manipulate draft information for their tickets via the browser console and API. This unintended access has been blocked.
๐ For more details, please refer to the Security Advisory ZAA-2025-03.
Incorrect Access Control
An agent with general knowledge base permissions was previously able to fetch content via the API that they were not explicitly authorized to access. The underlying permission checks have now been corrected to enforce proper restrictions.
๐ For more details, please refer to the Security Advisory ZAA-2025-04.
Technical Requirements
Please note that you must meet the following browser requirements to use this version:
- Chrome: 83
- Firefox: 78
- Explorer: 11
- Safari: 11
- Opera: 69
- Edge: 83
Advisories
ZAA-2025-01
ZAA-2025-02
ZAA-2025-03
ZAA-2025-04
Download Zammad 6.4.2
All improvements can be found in the Changelog.
Packages
Source code
- ftp.zammad.com/zammad-6.4.2.tar.bz2 (f5d9965a036010d151e0229561d79a6a)
- ftp.zammad.com/zammad-6.4.2.tar.gz (333067a44ec600e18bfef8bbce2cc0ed)
- ftp.zammad.com/zammad-6.4.2.zip (0fecdd8f4d14b3a0c2d10d1089339bb9)
Upgrade
Here you can find information on upgrading your Zammad installation: