Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.
References
Link | Resource |
---|---|
https://zammad.com/de/advisories/zaa-2022-09 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-09-27T15:27:48
Updated: 2022-09-27T15:27:48
Reserved: 2022-09-19T00:00:00
Link: CVE-2022-40816
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-09-27T23:15:16.483
Modified: 2023-08-08T14:22:24.967
Link: CVE-2022-40816
JSON object: View
Redhat Information
No data.
CWE