Zammad 6.4.2
ยท This release includes important security patches. Please read the release notes carefully and update your Zammad system as soon as possible.
ยท This release includes important security patches. Please read the release notes carefully and update your Zammad system as soon as possible.
Authenticated administrators can configure webhooks that send POST requests when specific conditions are met. If a webhook endpoint responds with a redirect, Zammad would automatically follow up with a GET request. This behavior could be exploited by attackers to initiate GET requests to internal network resources. This vulnerability has now been addressed.
๐ For more details, please refer to the Security Advisory ZAA-2025-01.
When changing their two-factor authentication configuration, users must re-authenticate using their current password. Previously, this was enforced only on the frontend and not validated via the API. This security gap has since been closed.
๐ For more details, please refer to the Security Advisory ZAA-2025-02.
Shared article drafts are meant to be visible only to agents. However, logged-in customers were able to see and manipulate draft information for their tickets via the browser console and API. This unintended access has been blocked.
๐ For more details, please refer to the Security Advisory ZAA-2025-03.
An agent with general knowledge base permissions was previously able to fetch content via the API that they were not explicitly authorized to access. The underlying permission checks have now been corrected to enforce proper restrictions.
๐ For more details, please refer to the Security Advisory ZAA-2025-04.
Please note that you must meet the following browser requirements to use this version:
ZAA-2025-01
ZAA-2025-02
ZAA-2025-03
ZAA-2025-04
All improvements can be found in the Changelog.
Here you can find information on upgrading your Zammad installation: